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(7!) We, COMPAGNIE INTER- 
NATIONALE POUR L'INFORMATIQUE 
CI 1-HONEYWELL-BULL (formerly Q>m- 
pagnie Honeywell-Bull), a French Body 
5 Corporate, of 94 Avenue Gambetta, Pans 
75020, France, do hereby declare the 
invention, for which we pray that a patent 
may be granted to us, and the method by 
which it is to be performed, to be 
10 particularly described in and by the 
following statement: — 

The present invention concerns 
apparatus for protecting the information in 
a virtual memory system in programmed 
15 data processing apparatus. 

Several schemes have been utilized in the 
past in order to protect information. Some 
of them are detailed by Robert M. Graham 
in a paper entitled "Protection in an 
20 Information Processing Utility", published 
in CACM (May 1968). 

This type of memory protection is 
inadequate for present day 
multiprogramming systems because there is 
25 no provision for gradations of privilege or 
gradations of accessability, and severely 
limits the control over access to 
information. There should be provisions for 
different access rights to the different types 
30 of information. A partial answer to this 
■ problems is found in the concept of a 
memory having a segment as the unit of 
information to which access is controlled 
(see Patent Application No. 21630/74, 
35 (Serial No. 1,465,344), filed on 15 May 1974). 
Varying degrees of access to each segment 
is possible by providing for different types 
of privileges attached to each segment such 
as master/slave, write/no-wrile and 
40 execuie/non-execute. However, this 
method of protecting the privacy and 
integrity of information does not take into 
account the user of the information. Under 
this type of protection, privilege is not 
45 accorded the user but the information 
being protected. Hence a user if he has 
access at all to a segment has access similar 
to all other users who have access to the 



segment. David C Evans and Jean Yves 
LeClerc in a paper entitled "Address 50 
Mapping and the Control of Access in an 
Interactive Computer," SJCC 1967, 
recognized the problem and attempted a 
solution. Evans and LeClerc said in that 
article p. 23, "The user of a computing 55 
system should be able to interact arbitrarily 
with the system, his own computing 
processes, and other users in a controlled 
manner. He should have access to a large 
information storage and retrieval system 60 
called the file system. The file system 
should allow access by all users to 
information in a way which permits 
selectively controlled privacy and security 
of information. A user should be able to 65 
partition his computation into scrai- 
mdependent tasks having controlled 
communication and interaction among 
tasks. Such capability should reduce the 
human effort requked to construct, debu g, 70 
and modify programs and should make 
possible increased reliability of programs. 
The system should not arbitrarily limit the 
use of input/output equipment or limit 
input/output programming by the user". 75 
Evans and LeClerc proposed conditioning 
access rights on the procedure-in- 
execution. The segment, under their 
proposal, is still the unit of information to 
which access is controlled; however, a 80 
segment's access control attributes are 
recorded substantially in a user-name 
•versus procedure tables whose entries are 
the access modes. Such a solution, 
however, has serious drawbacks. For one, 85 
the construction and updating of each 
segment's table of access control attributes 
presents a formidable task. For another, 
100 many uses of the segment and event 
occurrences must be foreseen. To 90 
overcome this problem access control by 
procedure-set was suggested. Under this 
suggestion, related procedures arc grouped 
into "sets of procedures" and access rights 
to segments is based on the identity of the 95 
set to which the procedure seeking access 
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belongs. This method alleviated the 
problem of constructing and updating each 
segment's voluminous tables of access 
control attributes, but introduced the 
5 problem of determining to which set a given 
procedure belonged, particularly when a 
procedure was or could be a number of 
many sets. This ambiguity in defining sets, 
and the possible transitions between sets 
10 makes the implementation of access 
control based on "sets of procedures" 
extremely difficult. 

To overcome the difficulties encountered 
with the "set v technique a ring concept was 
15 developed. The ring concept groups the 
sets of procedures into rings that can 
unambiguously be ordered by increasing 
power or level of privilege. By assigning a 
collection of sets to a collection of 
20 concentric rings, and assigning numbers to 
each ring with the smallest ring having the 
smallest number and each succeeding 
larger ring having a progressively greater 
number, different levels of privilege can 
25 then be unambiguously assigned to the user 
of a segment. Under this concept the 
innermost ring having the smallest number 
assigned to it has the greatest privilege. 
Hence it can be postulated that users in the 
30 lowest ring number can access information 
having higher ring numbers, but users in a 
higher ring number cannot access 
information having lower ring numbers or 
can access information in a lower ring 
35 number only in a specified manner. This 
palpable change of power or level of 
privilege with a change in rings is a concept 
which overcomes the objections associated 
to a change of sets. 
40 Multics {Multiplexed /nformation and 
Computing Service) is an operating system 
developed primarily by Massachusetts 
Institute of Technology, in cooperation 
with General Electric Co. and others which 
45 first utilized the ring theory of protection in 
software on a converted Honeywell 635 
(Registered Trade Mark) computer and 
later on a Honeywell 645 (Registered Trade 
* Mark) computer. The Multics philosophy 
50 utilizes 64 rings of protection numbered as 
rings 0—63 and is set forth generally in a 
paper entitled "Access Control to the 
Multics Virtual Memory" published by 
Honeywell Information Systems inc. in the 
Multics Technical Papers. Order No. 
AG95, Rev. O. A more detailed description 
of Multics ring protection is to be found on 
chapter 4 of a book entitled "The Multics 
System; An Examination of its Structure", 
by Elliott I. Organzck, published by MIT 
Press* and also in the Multics System 
Programmers Manual 1969, MIT Project 
MAC. Briefly, the Multics system docs not 
utilize a "pure ring protection strategy" but 
rather employs the "ring bracket protection 



strategy" wherein a user's access rights with 
respect to a given segment are encoded in 
an access-mode and a triple of ring number 
(ri, r2 % r3) called the user's "ring brackets" 
for a given segment. A quotation from 70 
pages 137—139 from the Multics Technical 
Paper entitled, "Access Control to the 
Multics Virtual Memory" sets out the rules 
and conditions for using and changing 
rings. 75 

This "ring protection concept" was first 
implemented with software techniques 
utilizing 64 separate rings. Subsequently an 
attempt was made to define a suitable 
hardware base for ring protection. The 80 
Honeywell 645 (Registered Trade Mark) 
computer represents a first such attempt. 
The Honeywell 645 (Registered Trade 
Mark) system differs from the "ringed 
hardware" concepts described supra in 85 
several respects which when taken 
together, add up to the fact that the 
Honeywell 645 (Registered Trade Mark) is 
a 2-ring rather than a 64-ring machine, and 
has in lieu of a "ring register", a master 90 
mode and a slave mode, which imparts 
greater power to the processor when in 
master mode than when in slave mode. 
"The access control field of the 64Ss SDW 
(segment descriptor word) contains no 95 
information about rings; in particular its 
does not contain ring brackets. It does, 
however, contain either 

a) access-mode information possibly 
including ehher of the two descriptors; 100 

accessible in master mode only, 
master mode procedure; 

b) the specification of one of eight 
special 'directed' faults (traps) which is to 
occur whenever the segment descriptor 105 
word (SDW) is accessed. 

"The procedure is only *in master mode* 
when executing a procedure whose SDW 
indicates a 'master mode procedure*. The 
processor may enter master mode while no 
executing a slave mode procedure by. 

faulting, 

taking an interrupt". 

"The 645 processor's access control 
machinery interprets the SDW during the 115 
addressing cycle and causes the appropriate 
action to occur depending on the SDW and 
(usually) on the attempted access, as 
follows: 

a. If the SDW implies a particular |0Q 
directed fault", then that fault occurs. 

b. Otherwise, if the SDW does nor 
permit the attempted access, the 
appropriate access violation fault occurs. 

c. Otherwise, the SDW permits the )25 
attempted access and the access is 
performed. 

"When a fault occurs, the 645 enters 
master mode and transfers control to the 
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appropriate master mode fault handling 
procedure". (Access Control to the Multics 
Virtual Memory, supra pps. 157 — 158). 
Another paper by Michael D. Schroeder 

5 and Jerome H. SalUer entitled **A 
Hardware Architecture for Implementing 
Protection Rings'* published in 
Communications of the ACM, March 1972 
Vol. 15, No. 3, sets forth background and 

10 theory of ring protection and describes a 
hardware implementation of "ring 
protection". 

Because the Multics and Honeywell 645 
version of ring protection was implemented 

15 mainly in software, considerable operating 
system supervisor overhead was entailed 
particularly when calls to greater or lesser 
power were made by trapping to a 
supervisor procedure. What was required 

20^ was an access control mechanism which 
had the functional capability to perform 
effectively its information protection 
function, was relatively simple in operation, 
was economic to build, operate and 

25 maintain, and did not restrict programming 
generality. The Honeywell 6000 
(Registered Trade Mark) computer system 
met these requirements by implementing 
most of the ring protection mechanism in 

30 hardware. Hence special access checking 
logic, integrated with the segmented 
addressing hardware was provided to 
validate each virtual memory reference, 
and also some special instructions for 

35 changing the ring of execution. However 
certain portions of the ring system 
particularly outward calls and returns or 
calls to a lesser power and returns 
therefrom presented problems which 

40 required the ring protection function to be 
performed by transferring control to a 
supervisor. What is now needed are further 
improvements in hardware and techniques 
that will permit a full implementation of 

45 ring protection in hardware/firmware and 
will meet the criteria of functional 
capability, economy, simplicity and 
programming generality. 
Accordingly the present invention has for 

50 an object to provide an improved computer 
ring protection mechanism. 

Accordingly the present invention 
consists in an internally programmed data 
processing apparatus CPU having a virtual 

55 memory system, and being responsive to 
internally stored instruction words for 
processing information and having stored in 
said virtual memory system a plurality of 
different types of groups of information 

60 each information group-type associated 
with an address space bounded by a 
segment having adjustable bounds, and 
comprising means for protecting the 
information in said-virtual memory system 

65 from unauthorized users by restricting 



accessability to the information in 
accordance to levels of privilege, said 
means comprising in combination with an 
access checking mechanism: 

(a) first means arranged in operation to 70 
store in said virtual memory system at least 
one segment table comprising a plurality of 
segment descriptors with cacn segment 
descriptor being associated with a 
predetermined one of said segments and 75 
each segment descriptor having a 
predetermined format containing an access 
information element and a base address 
element in predetermined positions of said 
format, said base address element being go 
used for locating in said virtual memory 
system the starting location of a selected 
one of said segments, and said access 
information element for specifying the 
minimum level of privilege required for a 85 
predetermined type of access that is 
permitted in a selected one of said 
segments: 

(b) a plurality of second means having a 
predetermined format, communicating 90 
with said first means, arranged to store in a 
predetermined portion of said second 
means, a segment number SEG for 
identifying a segment table and the location 

of a segment descriptor within said segment 95 
table, said second means also being 
arranged to store in a predetermined other 
portion of said second means, an offset 
address within the segment identified by 
said segment descriptor said offset address 100 
locating from said segment base the first 
byte of a word within said segment; 

fc) third means responsive to an address 
syllable element of an instruction being 
executed for addressing one of said 105 
plurality of second means; 

(d) fourth means arranged to store a 
displacement from said address syllable; 

(e) fifth means, communicating with said 
first, second, third and fourth means, no 
arranged to add the displacement D and 
said base address to said offset; and, 

(0 sixth means responsive to said access 
information element in a selected one of 
said segment descriptors, restricting the |J5 
accessability to the segment associated with 
said selected one of said segment 
descriptors in accordance to the level of 
privilege and the type of access specified in 
said access information element, wherein 120 
each group-type of information is 
associated with a predetermined ring 
number indicative of a level of privilege 
said legel of privilege decreasing as the 
associated ring number increases 125 
comprising means for determining the 
maximum effective address ring number 
EAR (i.e. minimum level of privilege) of a 
selected process to access a selected group 
of information, said means comprising; 130 



(a) first means to store first information 
indicating the maximum ring number RD 
(i.e. minimum level of privilege) required to 
read information from said selected group; 
5 (b) second means to store second 
information indicating the maximum ring 
number WR (i.e. minimum level of 
pnviieec) required to write information into 
said selected group; 
10 _ (c) third means to store third 
information indicating the maximum ring 
number MAXR (i.e. minimum level of 
privilege) required to process information 
from said selected group; and T 

(d) fourth means communicating with 
said first, second and third means, to 
determine the maximum of the contents of 
said first, second and third means whereby 
the effective address ring number EAR is 
20 generated. 

The present invention, however, both as 
to organization and operation thereof may 
best be understood by reference to the 
following description which is given by way 
& of example in conjunction with the 
accompanying drawings in which: 

Figure I is a block diagram of a computer 
system utilizing the invention. 

™ Figurc 2 is a schematic diagram 
illustrating the levels of privilege of the 
invention. 

Figure 3 is a flow diagram of the 
segmented address scheme utilized by the 
invention. 

35 Figures 4A — 4J are schematic diagrams 
of various novel hardware structures 
utilized in the invention. 

Figure 5 is a schematic diagram of the 
computer ring protection hardware, 
w Figure 6 is a schematic diagram of the 
computer segmented addressing hardware 
Figures 7a— 7h and Figures 8a—Sc are 
detailed logic block diagrams of the ring 
protection hardware. 
45 **>—9k is a legend of the symbols 

utilized in the diagrams of the invention. 

Figure 10 is a schematic diagram of three 
stack segments, one each for nng 0, 1 and 3 
respectively. 
50 Figure 1 1 A shows the format of the Enter 
Procedure instruction. 

Figure 1 IB shows the format of a 
procedure descriptor. 

Figure I !C shows the format of a gating 
procedure descriptor GPD the first word of 
the segment containing the procedure 
descriptors. 

Figure 1 1 D shows the format of the Exit 
Procedure instruction. 
60 Figure J2 w a flow diagram of a portion 
or the Enter Instruction pertaining to ring 
crossing and ring checking. 

Figure 13 schematically shows a segment 
descriptor and the segment containing 
procedure descriptors. 
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Figures 14—16 are flow diagrams 
showing various operations that are 
performed when the Enter Procedure 
instruction is executed. 

Figure 17 is a flow chart of the Exit 70 
Instruction. 

As previously discussed the ring concept 
of information protection was originated on 
MULTICS and implemented on various 
Honeywell (Registered Trade Mark) 75 
Computer Systems. The original MULTICS 
concept required 64 rings or level of 
privilege and later implementation had the 
equivalent of two rings on the Honeywell 
645 and 8 rings on the Honeywell 6000 80 
(Registered Trade Mark). The embodiment 
described herein groups data and 
procedure segments in the system into a 
hierarchy of 4 rings or classes. (Refer to 
Figure 2). The 4 rings or privilege levels are 85 
identified by integers 0—3; each ring 
represents a level of privilege in the system 
with level 0 having the most privilege and 
level 3 the least. Level 0 is known as the 
inner ring and level 3 as the outer ring. The 90 
basic notion as previously discussed is that 
a procedure belonging to an inner ring has 
free access to data in an outer ring. 
Conversely a procedure in an outer ring 
cannot access data in an inner ring without 95 
incurring a protection violation exception. 
Transfer of control among procedures is 
monitored by a protection mechanism such 
that a procedure execution m an outer ring 
cannot directly branch to a procedure in an 100 
inner nng. This type of control transfer is 
possible only by execution of a special 
"procedure-call" instruction. This 
instruction is protected against misuse in a 
number of ways. First, a gating mechanism 105 
is avtlable to ensure that procedures are 
entered only at planned entry points called 
gates when crossing rings. The segment 
descriptor of such a procedure contains a 
gate bit indicating that procedures in this 1 10 
segment can be entered only via gates- 
information regarding these gates is 
contained at the beginning of the segment 
and is used by the hardware to cause entry 
at a legal entry-point. The procedure itself 1 15 
must then verify (in a way which, of 
necessity depends on the function of the 
procedure) that it is being legitimately 
called. A further hardward protection 
mechanism is available in the case that the 120 
calling procedure supplies an address as a 
parameter; it is then possible that the more 
privileged procedure would invalidly 
modify information at this address which 
the Jess privileged caller could not have 125 
done, since the ring mechanism would have 
denied him access; an address validation 
instruction is available to avoid this 
possibility. 

An important convention is required 130 
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here in order to protect the procedure call 
mechanism. This states that it is not in 
general permissible to use this mechanism 
lo call a procedure in a less privileged ring 
5 and return to the more privileged one. This 
restriction is necessary since there is no 
assurance that the procedure in the higher 
ring will, in fact, return; that it will not, 
accidentally or maliciously, destroy 
LO information that the more privileged 
procedure is relying upon; or that it will 
not, accidentally or maliciously, violate the 
security of the stack (see GLOSSARY for 
definition). Any of these could lead to 
15 unpredictable results and crash the system. 
The level of privilege are quite 
independent of the process control 
mechanism and there is no notion here of 
privileged and non-privileged processes as 
20 in the IBM system 360 (Registered Trade 
Mark). Instead the same process can 
execute procedures at different levels of 
privilege (rings) subject to the restrictions 
imposed by the ring mechanism. In this 
25 sense the ring mechanism can be viewed as 
a method for subdividing the total address 
space assigned lo a process according to 
level of privilege. 
The ring mechanism defined herein 
30 permits the same segment to belong to up 
to 3 different rings at the same time Le. 
there are 3 ring numbers in each segment 
descriptor, one for each type of possible 
access. Thus the same segment can be in 
35 ring one with respect to "write" access, ring 
two with respect to "execute" access and 
ring three with respect to "read" access. 
One obvious use for this is in the case of a 
procedure segment which can be written 
40 only by ring zero (perhaps the loader) but 
can be executed in ring three. 

Of the four available rings, two are 
allocated to the operating system and two 
to users. Ring zero, the most privileged 
45 ring, is restricted to those operating system 
segments which are critical to the operation 
of the whole system. These segments form 
the hard core whose correctness at all times 
is vital to avoid disaster. Included would be 
50 the system information base, those 
procedures dealing with the organisation of 
physical memory or the initiation of 
physical data transfer operations, and the 
mechanisms which make the system 
55 function, like the "exception supervisor, 
the scheduler, and the resource 
management". 

Ring one contains a much greater 
volume of operating system segments 
60 whose failure would not lead to catastrophe 
but would allow recovery. Included herein 
are the language translators, data and 
message management, and job and process 
management. Through the availability of 
65 two rings for the operating system, the 



problem of maintaining system integrity is 
made more tractable, since the smaller hard 
core which is critical is isolated and can be 
most carefully protected. 

Rings two and three are available to the 70 
user to assign according to his requirement. 
Two important possibilities are debugging 
and proprietary packages. Programs being 
debugged may be assigned to ring two while 
checked out programs and data with which 75 
they work may be in ring two; in this way 
the effect of errors may be localized. 
Proprietary programs may be protected 
from their users by being placed in ring two 
while the latter occupy ring three. In these 80 
and other ways, these two rings may be 
flexibly used in applications. 

The General Rules of the Ring System 

1. A procedure in an inner ring such as 85 
ring 2 on Figure 2 has free access to data in 

an outer ring such as ring 3 and a legal 
access (arrow 201) results. Conversely a 
procedure in an outer ring such as ring 3 
cannot access data in an inner ring such as 90 
ring 2 and an attempt to do so results in an 
illegal access farrow 202). 

2. A procedure in an outer ring such as 
ring 3 can branch to an inner ring such as 
ring 1 via gate 204 which results in a legal 95 
branch 203, but a procedure operating in an 
inner ring such as ring 2 may not branch to 

an outer ring such as ring 3. 

3. Each segment containing data is 
assigned 2 ring values, one for read (RD) 100 
and one for write (WR). These ring values 
specify the maximum ring value in which a 
procedure may execute when accessing the 
data in either the read or write mode. 

Each time a procedure instruction is 105 
executed, the procedure's ring number 
(effective address ring, EAR) is checked 
against the ring numbers assigned to the 
segment containing the referenced data. 
The EAR is the maximum number of 110 
process ring numbers in the processor 
instruction counter (see later description) 
and all ring numbers in base registers and 
data descriptors found in the addressing 
path. Access to the data is granted or 115 
denied based on a comparison of the ring 
numbers. For example, if a system table 
exists in a segment having a maximum 
read/ring value of 3 aod a maximum 
write/ring value of I, then a user procedure 120 
executing in ring 3 may read the table but 
may not update the table by writing therein. 

Procedure Calls and the Stack Mechanism: 

The procedure call and stack mechanism 125 
is an apparatus being described herein 
Procedure calls are used to pass from one 
procedure to another; to allow user 
procedures to employ operating system 
services; and to achieve a modular 130 
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structure within the operating system. A 
procedure call is effected by instructions 
and a hardware recognized entity called a 
slack. 

5 A stack is a mechanism that accepts, 
stores and allows retrieval of data on a last- 
in -first-out basis. Slacks reside in special 
segments called stack segments. A stack 
segment consists of a number of contiguous 
10 parts called stack frames which are 
dynamically allocated to each procedure. 
The first stack frame is loaded into the low 
end of the segment and succeeding frames 
are loaded after it. The last frame loaded is 
If considered the top of the stack. A T- 
register 1 14 (see Figure 1) locates the top of 
the stack for the currently active process. A 
virtual T-register exists in the process 
control block (PCB) of all other processes 
20 in the system. 

A stack frame consists of three areas: a 
work area in which to store variables, a save 
area in which to save the contents of 
registers, and a communications area in 
25 which to pass parameters between 
procedures. Prior to a procedure call, the 
user must specify those registers he wishes 
saved and he must load into the 
communications area the parameters to be 
30 passed to the called procedure. When the 
call is made, the hardware saves the 
contents of the instruction counter and 
specified base registers to facilitate a return 
from the called procedure. 
35 Each procedure call creates a stack 
frame within a stack segment and 
subsequent calls create additional frames. 
Each exit from one of these called 
procedures causes a stack frame to be 
40 deleted from the stack. Thus, a history of 
calls is maintained which facilitates orderly 
returns. 

To ensure protection between 
procedures executing in different rings, 

45 different stack segments are used. There is 
one stack segment corresponding to each 
protection ring per process. A process 
control block (PCB) contains three stack 
base words (SB W) which point to the start 

50 of the stack segment for ring9 0 t 1 and 2 
associated with the process. The ring 3 
stack segment can never be entered by an 
inward call; therefore, its stack starting 
address is not required in the PCB. 

55 The procedure call is used by users who 
have written their programs in a modular 
way to pass from one program module to 
another. It is used by user programs to avail 
themselves of operating system services. It 

60 is used by the operating system itself to 
achieve a responsive modular structure. 
The procedure call as is described in the 
above referenced patent application is 
effected by hardware instructions and the 

65 hardware recognizable stack mechanism. 



The main requirements on a procedure 
call mechanism are: 

1. Check the caller's right to call the 
caller; 

2. Save the status of the caller which 70 
includes saving registers, instruction 
counter (for return), and other status bits; 

3. Allow for the passing of parameters; 

4. Determine valid entry point for the 
called procedure; 75 

5. Make any necessary adjustments in 
the addressing mechanism; 

6. Enter the new procedure. 

When the called procedure terminates or 
exits, whatever was done in the call must be 80 
undone so that the status of the calling 
procedure is restored to what it was before 
the call. 

As a preliminary to making a procedure 
call, the instruction PREPARE STACK is 85 
executed. This instruction causes those 
registers specified by the programmer in 
the instruction to be saved in the stack. It 
causes the status register (see Figure I) to 
be saved, and provides the programmer 90 
with a pointer to parameter space which he 
may now load with information to be 
passed to the called procedure. 

Another instruction ENTER 
PROCEDURE permits the procedure call 95 
via the following steps corresponding to the 
requirement specified above: 

1. Ring checking— the caller's ring is 
checked to make sure that this ring may call 

the new procedure; the call must be to a 100 
smaller or equal ring number; and if ring 
crossing does occur the new procedure 
must be gated through agate 204 of Figure 

2. The new ring number will then be that 

of the called procedure. ](£ 

2. The instruction counter is saved; 

3. Base register 0 (see Figure 1) is made 
to point effectively to the parameters being 
passed; 

4. The entry-point of the called HO 
procedure is obtained from a procedure 
descriptor whose address is con- 
tained in the ENTER PROCEDURE 
INSTRUCTION; 

5. A point to linkage information is 115 
loaded in base register number 7. 

6. The new procedure is entered by 
loading the new ring number and the 
address of the entry-point in the instruction 
counter. \2Q 

The remainder of the current stack- 
frame is also available to the called 
procedure for storage of local variables. 

When the called procedure wishes to 
return, it executes the instruction EXIT 125 
PROCEDURE. The registers and the 
instruction counter are then restored from 
their saving areas in the stack. 

Referring to Figure I there is shown a 
block diagram and a computer hardware 130 
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system utilizing the invention. A main 
memory 101 is comprised of four modules 
of metal-oxide semi-conductor (MOS) 
memory. The four memory modules I — 4 

5 are interfaced to the central processor unit 
100 via the main store sequencer i02. The 
four main memory modules 1 — 4 are also 
interfaced to the peripheral subsystem such 
as magnetic tape units and disk drive units 

10 (not shown) via the main store sequencer 
102 and the 10C (not shown). The main 
store sequencer gives the capability of 
providing access to and control of all four 
memory modules, 

15 Operations of the CPU arc controlled by 
a read only memory ROM, herein called 
the control store unit 110. 

The control store interface adapter 109 
communicates with the control store unit 

20 HO, the data mangagement unit 106, the 
address control unit 107 and the arithmetic 
logic unit 1 12 for directing the operation of 
the control store memory. The control 
store interface adapter 109 includes logic 

25 for control store address modification, 
testing, error checking, and hardware 
address generation. Hardware address 
generation is utilized generally for 
developing the starting address of error 

30 sequencers or for the initialization 
sequence. 

The buffer store memory 104 is utilized 
to store the most frequently used or most 
recently used information that is being 

35 processed by the CPU. 

The data management unit 106 provides 
the interface between the CPU 100 and 
main memory 101 and/or buffer store 
memory 104. During a memory read 

40 operation, information may be retrieved 
from main memory or buffer store memory. 
It is the responsibility of the data 
management unit to recognize which unit 
contains the information and strobe the 

45 information into the CPU registers at the 
proper time. The data management unit 
also performs the masking during partial 
write operations. 
The instruction fetch unit 108 which 

50 interfaces with the data management unit 
106, the address control unit 107, the 
arithmetic and logic unit 112 and the 
control store unit 110 is responsible for 
keeping the CPU 100 supplied with 

55 instructions. 

The address control unit 107 
communicates with the instruction fetch 
unit 108, the buffer store directory 105, the 
main store sequencer 102, the arithmetic 

60 logic unit 112, the data management unit 
105. and the control store unit 1 10 via the 
control store interface adapter 109. The 
address control unit 107 is responsible for 
all address development in the CPU. 

65 Interfacing with the address control unit 



107, the instruction fetch unit 108 and the 
control store unit 1 10 is the arithmetic logic 
unit 112 which is the primary work area of 
the CPU 100. Its primary function is to 
perform the arithmetic operations and data -jq 
manipulations required of the CPU. 

Associated with the arithmetic logic unit 
112 and the control store unit 110 is the 
local store unit 111 which typically is 
comprised of a 256-location (32 bits per 75 
location) solid state memory and the 
selection and read/write logic for the 
memory. The local store memory 111 is 
used to store CPU control information and 
maintain ability information. In addition, 80 
the local store memory 111 contains 
working locations which are primarily used 
for temporary storage of operands and 
partial results during data manipulation. 

The central processing unit 100 typically 85 
contains 8 base registers (BR) 116 which 
are used in the process of address 
computation to define a segment number, 
an offset, and a ring number. The offset is a 
pointer within the segment and the ring 90 
number is used in the address validity 
calculation to determine access rights for 
a particular reference to a segment. 

The instruction counter 118 
communicates with the main memory local 95 
register (MLR) 103 and with the instruction 
fetch unit (08, and is a 32-bit register which 
contains the address of the next instruction, 
and the current ring number of the process 
(PRN). Also contained in the central 100 
processing unit is a T register 114 which 
also interfaces with the instruction fetch 
unit 108 and is typically a 32-bit register 
containing a segment number and a 16-bit 
or 22-bit positive integer defining the 105 
relative address of the top of the procedure 
stack. The status register 115 is an 8-bit 
register in the CPU which among other 
things contains the last ring number — ie. 
the previous value of the process ring 110 
number (PRN). 

The main memory 101 is addressed by 
the memory address register (MAR) 119, 
and the information addressee by (MAR) 
1 1 9 is fetched and temporarily stored in the 115 
memory local register (MLR) 103. 
' Referring now to Figure 3 there is shown 
a flow diagram of the general rules for 
segmented address development shown in 
detail in the above mentioned copending 120 
patent application No. 21630/74, Serial No. 
1,465.344. Figure 3 when read in 
conjunction with the above referenced 
patent application is self-explanatory. 
There is however one major difference 125 
between the address development as shown 
on Figure 3 to that of the above mentioned 
application and that is that in the address 
development of Figure 3 of the instant 
application as many as 16 levels of 130 
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indirection may be utilized in the address 
development whereas in the above 
referenced application the levels of 
indirection were limited to a maximum of 
5 two. This of course is a matter of choice 
with the designer and in no way alters the 
high level inventive concept. 

Referring now to Figures 4A— 4J, 
Figures 4A and 4B show the format of the 
lO instruction counter designated by reference 
numeral 118 on Figure 1. The instruction 
counter (IC) 118 is a 32-bit register which 
contains the address of the next instruction, 
and the current ring number of the process 
1 5 (PRN). Referring specifically to Figures 4A 
and 4B the TAG is a 2-bit field which 
corresponds to the TAG field of data 
descriptors shown and described in the 
above reference application entitled 
"Segmented Address Development". PRN 
is a 2-bit field which defines the current ring 
number of the process to be used in 
determination of access rights to main 
storage. SEG is typically either a 12-bit or a 
25 6-bit field which defines the segment 
number where instructions are being 
executed. The OFFSET is typically either a 
16-bit or a 22-bit field which defines the 
address of the instruction within the 
30 segment SEG. 

Figures 4C— 4F show the formal of 
segment descriptors with Figures 4C and 
4D showing the first and second word of a 
direct segment descriptor whereas Figures 
35 4E and 4F show the first and second word 
of an indirect segment descriptor. Segment 
descriptors are two words long each word 
comprised of 32 bits. Referring to Figures 
4C — 4D which show the first and second 
40 word respectively of a direct segment 
descriptor, P is a presence bit. If P equals 
one, the segment defined by the segment 
descriptor is present in main storage. If P 
equals zero, the segment is not present and 
45 a reference to the segment descriptor 
causes a missing segment exception. AH 
other fields in a segment descriptor have 
meaning only if P equals one. A is the 
availability bit. If A equals zero, the 
50 segment is unavailable (or locked) and a 
reference to the segment causes an 
unavailable segment exception. If A equals 
one, the segment is available (or unlocked, 
and can be accessed). I is the indirection 
55 bit. If 1 equals zero, the segment descriptor 
is direct. If I equals one, the segment 
descriptor is indirect. U is the used bit. If U 
equals zero, the segment has not been 
accessed. If U equals one, the segment has 
60 been accessed. U is set equal to one by any 
segment access. W is the written bit. If W 
equals zero, no write operation has been 
performed on the segment. If W equals one, 
a WRITE operation has been performed on 
65 the segment. W is set to one by any WRITE 



operation. GS is the gating-semaphore bits. 
When the procedure call mechanism 
referred to above requires that the segment 
be a gating segment or when the process 
communication mechanism (not shown) 
requires that the segment be a segment 
descriptor segment (SD) the GS bits are 
examined. To be a valid gating segment, the 
GS bits must have the value 10. To be a 
valid SD segment, the GS bits must have 
the value 01. If a gating or SO segment is 
not required, these bits are ignored. The 
BASE is a 24-bit field which defines the 
absolute address in quadruple words of the 
first bvte of the segment. This field is 
multiplied by 16 to compute the byte 
address of the segment base. The SIZE is a 
field which is used to compute the segment 
size. If the segment table number, 
subsequently referred to as STN, is greater 
or equal to zero but less than or equal to six, 
the SIZE field is 18 bits long. The STN is a 
field indicating the segment table entry STE 
for selecting a segment descriptor. If the 
STN is greater than or equal to 8 but less 
than or equal to 15, the SIZE field is 12 bits 
long. The number of bytes in the segment is 
equal to 16 times (SIZE+I). If SIZE equals 
zero, the segment size is 16 bytes. RD is the 
read access field. This is a 2-bit field which 
specifies the maximum EAR (effective 
address ring number) for which a read 
operation is permitted on the segment. (A 
procedure is always permitted to read its 
own segment if EAR equals PRN). WR is 
the write access field. This is a 2-bk field 
which specifies the maximum EAR for 
which a write operation is permitted on the 
segment and the minimum PRN at which 
the segment may be executed. MAXR is 
the maximum ring number. This is a 2-bit 
field which specifics the maximum PRN at 
which the segment may be executed. WP is 
the write permission bit. This bit indicates 
whether a WRITE operation may be 
performed on the segment. If WP equals 
zero, no WRITE operation may be 
performed. If WP equals one, a WRITE 
operation may be performed if EAR is 
greater than or equal to zero but less than 
or equal to WR. EP is the execute 
permission bit. This bit specifies whether 
the segment may be executed. If EP equals 
zero, the segment may not be executed. If 
EP equals one, the segment may be 
executed at any PRN for which PRN is 
greater than or equal to WR but less than or 
equal to MAXR. MBZ is a special field 
which must be set to zero by software when 
the field is created, before its initial use by 
hardware. 

Referring to Figures 4E— 4F the 
definitions of the various fields are similar 
as above however word 0 includes a 
LOCATION field and word I includes a 130 



70 



75 



80 



85 



90 



95 



100 



105 



110 



115 



120 



125 



1,483,282 



_9 

RSU field. The LOCATION field is a 28-bit 
Field which defines the absolute address of a 
direct segment descriptor. The value in the 
LOCATION field must be a muliple of 8. 

5 The RSU field is a special field which is 
reserved for software use. 

Figures 4G — 4H show the format of the 
base registers (B R) which are used io the 
process of address computation to define a 

10 segment table number, a segment table 
entry number, an offset, and a ring number. 
There are typically 8 base registers as 
shown by reference numeral 1 16 on Figure 
' 1 . A base register is specified or identified 

15 as base register 0 through 7. The size of a 
base register is 32 bits long. The base 
register format of Figure 4G is utilized for 
small segment i.e. where STN is greater or 
equal to 8 but less than or equal to 15, 

20 whereas the format of base register of 
Figure 4H is utilized for large segments i.e. 
STN is greater or equal to zero but less than 
or equal to six. Referring to Figures 
4G— 4H, TAG is a 2-bit field which 

25 corresponds to the TAG of a data 
descriptor referenced previously. RING is 
a 2-bit field which contains the nng number 
associated with the segmented address for 
protection purposes. SEG is a field 

30 previously referred to, which identifies a 
segment described in a segment table. STN 
is the segment table number, and STE is the 
segment table entry number. OFFSET is a 
16-bit field or a 22-bit field depending on 

35 segment table number, which defines a 
positive integer. The OFFSET is used in the 
process of address development as a 
pointer within a segment. 
Referring to Figures 41 — 4J there is 

40 shown the format of the T-register. The T- 
register is a 32-bit register containing a 
segment number and a 16-bit or 22-bit 
positive integer defining the relative 
address of the top of the procedure stack 

45 previously mentioned. The T-registcr is 
shown by reference numeral 1 14 on Figure 
! . The various fields of the T-register have 
the same definition as described above. 
Referring now to Figures 3 and 4A — 4J a 

50 more defined description of absolute 
address calculation and access checking is 
made. In general absolute address 
calculation consists of fetching a segment 
descriptor specified by STN and STE and 

55 using the segment descriptors in four ways: 
access checking, computation of the 
absolute address, bound checking, and 
updating (U and W flags). As described in 
copending patent application No. 21630/74, 

60 (Serial No. 1,465,344) the absolute address 
may be direct or indirect and is derived by 
first deriving an effective address from 
STN, STE, and SRA (segment relative 
address). STN is extracted from bits 4 

65 through 8 of the base register BR specified 



in the address syllable of an instruction. If 
STN is 7, an out of segment table word 
array exception is generated. STE is 
extracted from the base register specified in 
the address syllable. If STN 4:4 (i.e., 70 
beginning at bit 4 and including the next 4 
bits) is greater than or equal to zero or less 
than or equal to six, STE is in a base register 
bits 8 and 9. If STN 4:4 (i.e. 4 bits beginning 
at bit 4) is greater than or equal to 8 but less 75 
than or equal to 15, STE is in a base register 
BR bits 8 through 15. The segment relative 
address SRA for direct addressing is 
computed by adding the displacement in 
the address syllable; the offset of the base 80 
register BR; and the 32-bit contents of an 
index register, if specified in the address 
syllable. The sum of these three quantities 
is a 32-bit unsigned binary integer which 
must be less than the segment size 85 
appropriate to the segment STN, STE. 

Indirect addressing is developed by 
fetching a data descriptor and developing 
an address from that descriptor. The 
effective address of the data descriptor is 90 
computed as in the direct addressing case 
with the exception that the index register 
contents arc not used. In developing the 
address from the data descriptor the 
effective address may be computed by an 95 
indirection to segment ITS descriptor and 
an indirection to base ITBB desc riptor . If 
the descriptor is ITS the STN and STE are 
extracted from the descriptor in the same 
manner as from a base register. SRA is 100 
computed by adding the displacement in 
the descriptor and the contents of an index 
register as specified in the syllable. If the 
descriptor is an ITBB descriptor then STN 
and STE are extracted from the base 105 
register specified in the BBR field (i.e. the 
base register implied by ITBB descriptor) 
of the descriptor as in direct addressing. 
SRA is computed by adding the 
displacement in the descriptor, the onset of 1 10 
the base register, and the contents of an 
index register is specified in the address 
syllable. 

As shown on Figure 3 the indirection 
process may be extended up to 16 levels. 115 

Every effective address contains 
protection information which is computed 
in address development and checks for 
access rights by the ring protection 
hardware of the absolute address 120 
calculation mechanism. The effective 
address contains protection information in 
the form . of an effective address ring 
number EAR (see Figures 2J and 2K of 
above application No. 2163QT74, (Serial No. 125 
1,465.344). The EAR is computed from the 
base register ring number BRN and from 
the current process ring number PRN by 
taking the maximum ring number. In 
developing the EAR for indirect addressing 1 30 
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a somewhat more tedious but essentially 
similar procedure as indirect addressing is 
used. In indirect addressing the EAR for 
extraction of the first descriptor (EAR 1) is 
once again the maximum of the ring 
number from the base register specified in 
the address syllable and the current process 
n f u "? bcr PRN in ^e instruction counter 
I IS of Figure 1 and stored in 00 register 512 
of Figure 5. The EAR for extraction of the 
second descriptor (EAR 2), of multiple 
level indirection is the maximum of: 
a. EAR 1; 

!>■ T hc rin £ number in the first descriptor 
if indirection is indirection to segment; 

c. The ring number from a base register 
116 utilized as a data base register BBR if 
the first descriptor is an indirection to 
segment descriptor ITBB. 

The EAR for extraction of the data of 
multiple level indirection is the maximum 
of: 

a. EAR 2: 

b. The ring number in the second 
descriptor ifit is an indirection segment 
descriptor ITS; 

c The ring number in one of the base 
registers utilized as a data base register 
BBR if the second descriptor is an 
indirection to base descriptor ITBB. 

Referring now to Figures 5 and 6, the 
transfers and manipulation of the various 
type ring numbers will be described 
at the system level. Detailed logic block 
diagrams for effecting the transfers and 
operations of Figure 5 will be later 
described. Referring first to Figure 6 an 
associative memory 600 is utUized in 
segmented address development. The 
associative memory 600 comprises 
essentially a IMS associator 609 which has 
circuitry which includes associative 
memory cells, bit sense amplifiers and 
drivers, and word sense amplifiers and 
drivers (not shown). A word or any part of a 
word contained in UAS associator 609 may 
be read, compared to another word with a 
match or no match signal generated 
.thereby, or be written cither in whole or in 
a selected part of thc associator 609. For 
example, US register 607 may contain a 
segment number which may also be in the 
associative memory 600. A comparison is 
made with UAS associator 609 and if a 
mdt 3 £ f P un ? a " hir results. The match 
or hit signal is provided to encoder 610. 
The function of encoder 610 is to transform 
the "hit" signal on one of the match lines to 
a 4 bit address. Encoder 610 provides this 4 
bit address to UAB associator buffer 61 1 so 
that the information contained in that 
particular location of UAB associator 
buffer 611 is selected. Information in UAB 
associator buffer 61 1 may be transferred to 
UV register 613 for temporary storage or 
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for transfer to QA or QB bus 614 and 615 
respectively. By thus locatinjg a prestored 
segment number of the associative memory 
600 (which may have been placed there 
after a generation of an absolute address) 
regeneration of thc same address is not 
necessary. In the drawing of Figure 6, UAB 
associator buffer 61 1 is shown as storing a 
first and second word of a segment 
descriptor; however other types of 
information may just as well be stored 
therein. This buffer 61 1 provides a function 
similar to that of buffer 104 in the more 
generalised diagram of Figure I. 

As mentioned supra the development of 
an absolute address of an operand from an 
effective address is disclosed in patent 
application No. 21630/74, {Serial No. 
1,465,344). Briefly and with reference to 
Figure 6 any of 8 base registers 602 are 
addressed via UG and UH registers 603 and 
604 respectively which contain base register 
addresses from an instruction address 
syllable or base register specified by the 
instruction formats. The base register 602 
contain such information as TAG, base 
register ring number BRN, segment table 
number STN, segment table entry STE and 
OFFSET as shown or contained by base 
registers 1 and 2 of the group of base 
registers 602. Writing into the base registers 
is performed under micro-op control by 
UWB logic 601. For example it is shown 
that information from the UM register 502 
of Figure 5 may be written into bit positions 
(2, 3) of a selected base register; also 
information from thc QA bus may be 
written into thc base registers and 
provisions are made to clear a selected base 
register i.e. write all zeroes. Reading out of 
any of thc base registers is performed by 
"BR logic 605. In general the UBR logic 
605 permits the appropriate base register to 
be strobed out onto bus QA or QB, or into 
UN register 608. Note that UN register 608 
holds bits 8 through 31 of the base registers 
which is the OFFSET part of the segmented 
address. Moreover UBR logic 605 when 
addressed by an address contained in 
instruction buffer IB (not shown) reads out 
the segment number SEG (which is 
comprised of STN and STE) into US 
register 607 via UBS transfer logic 606. The 
comparison of the segment number SEG in 
US register 607 with thc associative 
memory 600 may then be performed as 
previously described. It will be noted that 
bus (4—1 5) of QA bus 614 may also be read 
into or from US register 607. Similarly bits 
(8—31) from QA bus 614 may read into UN 
register 608. Also bits (9—11) of the US 
register 607 may be read into QA bus 614 as 
denoted by US (9—11) arrow {the arrows 
into various register and/or logic circuitry 
denote the source of data and that followed f 30 
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by a number denote the bit numbers of that UO register is used to save address syllable 

d a i?)- . _ I effective address ring number EAR in the 

Referring now to Figures 5 and 6, a 2-bit event the address syllable 2 is being utilized 

UP register 501 stores the current process to extract EAR 2. 

5 ring number PRN. The current process ring Two-bit UV register 503, ajid 2-bit UW 70 

numbers PRN is obtained from bits 2 and 3 register 504 is utilized mainly as storage for 

of the instruction counter (118 or Figure 1) various ring numbers that are obtained 

via bits IC (2—3) of the QA bus 614 of from the outside of the ring checking 

Figure 6. Bits IC (2—3) c f QA bus 614 are hardware of Figure 5 and transferred or 

10 transferred to 2-bit UV register 503 under processed to other parts of the ring 75 

control of a micro-operation UV9QA0. The checking hardware. For example the base 

micro-operations are obtained from micro- register ring number BRN is transferred 

instructions in the control store unit ! 10. from bit positions 2 and 3 of UBS transfer 

(On Figure 5 the dot surrounded by a circle logic 606 to UV register 503 under control 

15 indicates a micro-operation and the first of the micro-operation UVFBS0; the go 

two letters of the name of the micro- maximum ring number MAX R of word 2 of 

operation indicate the destination of the the segment descriptor (also shown stored 

data to be transferred; the fourth and fifth in bits 36 and 37 of UAB associator buffer 

letters indicate the source of the data 611) is transferred from UAB buffer 61 1 to 

20 transferred; the third character indicates UV register 503 under control of the micro- 85 

whether a full or partial transfer is made operation UVFABI; also bits 34 and 35 of 

with F indicating a full transfer while the UAB buffer 611 which is the write ring 

sixth character indicates whether the signal number WR is transferred to UV register 

doing the transferring is high or low with 503 under control of micro-operation 

25 even numbers indicating a low signul and UVFAB0. UW register 504 has similar 90 

odd numbers indicating a high signal. As an transfers of other ring numbers from 

example of the use of this convention bits 2 various parts of the system. For example 

and 3 on QA bus indicating the tail of the bits 34 and 35 which are the write ring 

arrow QA (2, 3) indicate PRN is the PRN number WR of UAB buffer 61 1 may also be 

30 process ring number that is being transferred to UW register 504 under 95 

transferred under control of the micro-op control of micro-operation UWFABI; bits 

UV9QA0 which says the transfer is made to 32 and 33, the read RD ring number of 

register UV, is a partial transfer of the bus UAB buffer 61 1 may also he transferred to 

QA, and the source of the data is the bus UW register 504 under control of micro- 

35 QA and is an unconditional transfer as op UWFAB0; also bits 0 and 1 of QA bus |fJ0 

indicated bv the sixth character being 0. 614 may be transferred to UW register 504 

Transfer to UV register from QA bus source under control of micro-operation 

is unconditional. This 0 will be the UW9QA0. Note also several transfer paths 

corresponding seventh character in the of UW register 504 into UV register 503 

40 logic file name of the subcommand under control of the micro-operation |05 

UV9QA1<*. Once the process ring number UV9UW0: the transfer path of UV register 

PRN is transferred from the QA bus 61 4 to 503 into UM register 502 under control of 

the UV register 503 another transfer takes micro-operation UM9UV0; the transfer 

place under control of the micro-operation path of UM register 502 into UP register 

45 UM9UV0 from UV register 503 to UM 501 under control of the micro-operation no 

register 502. Finally another transfer takes UP9UM0; the transfer path of UP register 

place from UM register 502 to UP register 501 into UM register 502 under control of 

501 under control of a micro-operation micro-operation UM9UP0; the transfer 

UP9UM0. path of UM register 502 into UO register 

50 Two bit register UM 502 is utilized to 512 under control of micro-operation 115 

generate the effective address ring number UO9UM0; and finally the transfer path of 

EAR during ITS and ITBB (Le. indirection UO register 512 into UM register 502 under 

to segment and indirection to base), control of the micro-operation UM9UO0. 

(EA R=MAX (BRN, PRN, DRN./BBR Briefly therefore UP register 501 holds 

55 (BRN) etc.) address formation for address the current process ring number PRN; UM 120 

syllable I and address syllable 2 type register 502 and UO register 512 are utilized 

instruction format. The EAR is generated for transfer operations and also to generate 

according to the rules previously the EAR; UV register 503 may shore for 

enunciated by utilizing one or more tests various purposes and at different times the 

60 shown in block 5 10 and the maximum of the current process ring number PRN, the base 1 25 

rin§ number is obtained and stored in UM register ring number BRN, the maximum 

register 502 which stores the effective ring number MAX R, the write ring number 

address ring number EAR (detailed logic or WR, or the read ring number RD. UW 

making the comparisons of block 510 are register 504 may at various times hold the 

65 later shown and described in detail). The read ring number RD, the write ring 130 
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number WR, and bits 0 and I of bus QA. 
UMR 505 is logic, the details of which are 
shown on Figure 8d, which compares the 
contents of registers UM and UV and 
5 produces the greater of the two values in 
the registers and this value is stored in UM 
register 502 under micro-operation control 
UMFMRO. This is one way of generating 
the effective address ring number EAR. 
10 UMR logic 505 may also produce the 
greater value of the contents of register UP 
or of bits 2 and 3 of UBS logic 606. This is 
another method and/or additional step in 
generating the effective address ring 
15 number EAR. UMR logic 505 is also 
utilized to determine whether or not a write 
violation has occurred by transferring a 
write ring number WR into UV register 503 
and then comparing the contents of the UM 
20 register 502 (holding EAR) with the 
contents of UV register 503 in order to 
determine which one has the greater 
contents. Since UM register 502 stores tie 
effective address ring number EAR a 
25 comparison of the UM register and the UV 
register will indicate whether EAR is 
greater than WR or vice versa. If WP (i.e. 
write permission bit in the segment 
descriptor) is equal to 1 and if EAR lies in 
30 the range of 0sEAR<WR then a write 
operation may be performed into the 
segment. Note that UMR logic 505 may 
have inputs directly or indirectly from all 
registers 501 — 504, from other logic 506, 
507 and also from UBS logic 606. 

UWV logic 506 corresponds to the detail 
logic of Figure 8a. UWV logic 506 has 
inputs directly or indirectly from registers 
501—504 and from logic 505, 507 
40 respectively and generates an execute 
violation signal when a comparison of UW, 
UM and UV registers 504, 502, and 503 
respectively indicates that the statements 
that the maximum ring number MAXR is 
45 greater or equal to the effective address 
ring number EAR, and that EAR is greater 
or equal to the write ring number WR are 
not true i.e. in order for a procedure to be 
able to execute in a given segment 
50 indicated by the effective address the 
maximum ring number MAXR must be 
greater or equal to the effective address 
ring number and the effective address ring 
number EAR must be equal or greater than 
55 the write ring number WR. UWV logic 506 
also performs tests shown in block 510. 
Indications may be given that the contents 
of UW register is less than or equal to the 
contents of the UV register; the contents of 
60 the UM register is greater than or equal to 
the contents of the UV register; the 
contents of the UV register is equal to the 
contents of the UM register; the contents of 
the UV register is greater or equal to the 
65 contents of the UM register; and the 



35 



contents of the UM register is greater than 
the contents of the UW register. Of course 
when performing these tests different 
values of ring numbers may occupy the 
registers. 70 

UEP logic 507 corresponds to the detail 
logic of Figure 8b. UEP logic 507 in 
combination with UWV logic 506 generates 
the read violation exception. However the 
read violation exception may be overridden 75 
if the effective address ring number EAR 
equals the current process ring number 
PRN, since a procedure is always permitted 
to read its own segment, and if the segment 
number of the procedure segment 80 
descriptor (not shown herein) and the 
segment number of the address syllable 
utilized in generation of the effective 
address are the same. 

To illustrate the overriding of the read 85 
violation signal assume that the effective 
address read number EAR is greater than 
the read number RD which would generate 
a read violation high signal which would be 
applied as one input of AND gate 522. 90 
However the read violation exception 
signal may not be generated even though 
there is a read violation signal if tee 
following two conditions exists: 

1. The effective address ring number 95 
EAR is equal to the process ring number 
PRN; i.e. the contents of register UM is 
equai to the contents of the register UP; 
and, 

2. The segment number contained in the 100 
address syllable of the segment in which a 
procedure desires to read is equal to the 
segment number of the procedure segment 
descriptor (not shown) of the current 
procedure in execution and this is indicated 105 
by setting a bit called a P bit and located as 

the thirteenth bit of UE register 650. (UE 
register 650 is a store for the contents of 
UAS associator 609 when a "hit" has 
resulted by a comparison of the contents of MO 
US register 607). Since this example 
assumes that EAR equals PRN, UEP logic 
507 will apply a high signal to AND gate 520 
as one input, and since it is also assumed 
that the segment number SEG of the \\$ 
address syllable of the segment being 
addressed is equal to the segment number 
SEG of the procedure segment descriptor 
(not shown) of the currently executing 
procedure, then the P bit of the procedure 120 
segment descriptor will be set and hence 
the other input applied to AND gate 520 
will be high thus enabling AND gate 520; a 
high signal is therefore applied to the input 
of inverter 521 resulting in a low signal at |25 
the output of inverter 521 which low signal 
is then applied as another input of AND 
gate 522. Since there is a low signal to AND 
gate 522 no read violation exception signal 
can be generated by amplifier 523 even if J30 



M83.282 



13 



13 

the third input signal applied to AND gate 
522 is high. 

To illustrate how a read violation signal is 
generated and not overridden* assume that 
5 the output of UEP logic 507 indicates that 
the contents of UM register is not equal to 
the contents of UP register. Then that input 
to AND gate 520 would be low and hence 
AND gate 520 would not be enabled and its 

10 output would be low and would be applied 
to the input of inverter 521. Since the input 
of inverter 521 is low its output would be 
high which would be applied as one input of 
AND gate 522. If also the effective address 

15 ring number EAR is greater than the read 
rin| number RD (i.e. contents of UM 
register is greater than contents of UW 
register) that signal would be high and 
would be also applied to another input of 

20 AND gate 522. AND gate 522 has still a 
third input which must also be high in order 
to enable AND gate 522. This third input is 
high when AND gate 526 is enabled. Since 
AND gate 526 has one input terminal which 

25 is high when the 00 terminal of URVIF flop 
524 is low, AND gate 526 is enabled by 
applying the micro-operation read 
violation interrogate signal AJERVA to 
one input terminal of AND gate 526 while 

30 the 00 terminal of URVIF flop 524 is low. 
Thus AND gate 522 will have all input 
terminals high, generating the read 
violation exception signal. 
The execute violation exception is 

35 generated in two ways, ft was seen earlier 
that an execute violation signal results 
when UWV logic 506 indicates that the 
inequalities WR is less than or equal to 
EAR, and EAR is less than or equal to 

40 MAXR are not true. This high execute 
violation signal is applied to a one-legged 
AND gate 550 which in turn is applied to 
the input terminal of two-legged AND gate 
553 via amplifier 552. When an execute 

45 violation interrogate micro-operation signal 
AJEEVA is applied as another input of two- 
legged AND gate 553, this gate is enabled 
which in turn generates the execute 
violation exception via amplifier 554. The 

50 other method by which the execute 
violation exception is generated by the 
execute violation hardware 511 is when the 
execute permission bit EP is not set. When 
this condition is true it is indicated by the 

55 seventh bit of UY register 613 being high; 
this bit is then applied to the input terminal 
of one-legged AND gate 551 which is 
applied as a high signal to one input 
terminal of AND gate 553 via amplifier 552. 

60 When the execute violation interrogate 
micro-operation signal AJEEVA goes high, 
AND gate 553 is enabled and generates an 
execute violation exception via amplifier 
554. 

65 The write violation exception is also 



generated in two ways. It was seen 
previously how the UMR logic 505 
generates a write violation signal when 
EAR is greater than WR. This write 
violation signal is applied to one input 70 
terminal of AND gate 545. AND gate 545 is 
enabled when its second input terminal 
goes high thus generating a write violation 
exception through amplifier 547. The 
second input terminal of AND gate 545 75 
goes high when AND gate 542 is enabled. 
AND gate 542 is enabled when the input 
signals applied to its input terminals are 
high. One input signal is high when UWV IF 
flop 541 is low which in turn applies a low 80 
signal to the input terminal of inverter 543 
which in turn applies a high signal to one 
input terminal of AND gate 542; the other 
input signal is high when the write violation 
interrogate micro-op signal AJEWVA is 85 
high and this happens when it is desired to 
interrogate a procedure for the write 
violation exception. (Rip-flops URVIF, 
URN IF, and UWV IF are set low when any 
interrupts or softward occurs). (UWV2F, 90 
URV2F, and URN2F flip-flops arc utilized 
to store back-up excess checking - 
information for ring checking). The other 
method for generating a write violation 
exception is when the write permission bit 95 
WP is not set. This condition is indicated by 
bit 6 of UV register 613 being high. When 
this condition exists and the high signal (i.e. 
the sixth bit of UV register) is applied as one 
input of AND gate 546 and the interrogate 100 
signal 

AJEWVA is high and applied as 
another input of AND gate 546, then AND 
gate 546 is enabled and a write violation 
exception occurs via amplifier 547. 105 

Logic circuitry 591 comprised of flip- 
flops 532 and 533 in conjunction with 
amplifier 530 and AND gate 531 and 
inverter 530A permit the formation in 
register UM 502 of the maximum value of 1 10 
ring number (i.e. EAR) under control of a 
splatter instruction subcommand (not 
described herein) from the instruction fetch 
unit IFU. Assuming URN IF flip-flop 532 is 
set to logical 0 whereas URN2F flip-flop 115 
533 is set to logical 1, then during the 
execution of the splatter subcommand, 
input terminal 531 A of AND gate 531 will 
be high; therefore if flip-flop 532 is low 
(logical 0) then the signal will be inverted by 1 20 
inverter 530A and AND gate 531 will be 
enabled. Hence the maximum value of the 
contents of UP register 501 or hits 2 and 3 
of logic vector UBS 606 will be strobed into 
UM register 502. Conversely if flip-flop 532 125 
is a logical i, then the contents of UM 
register 502 is not changed via the above 
mentioned sources and the EAR derived in 
UM register 502 via the addressing process 
of indirection is the one utilized. Rip-flop 130 
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533 is the back-up store for the EAR of The code for the control signals are 
address-syllable 2 when utilized. previously described in detail and is 

Referring now to Figures 7 and 8 and summarized here. Briefly the first two 
Figure 5 there is a correspondence wherein characters of a control signal indicate the 
5 the detailed logic for hardware in Figure 5 destination of data to be transferred; the 70 
is shown in Figures 7 and 8 as follows: third character indicates whether a full or 
Figure 7a and U\V register 504; Figure 7b partial transfer is to be effected with the 
and UV register 503; Figure 7c and block letter F indicating full transfer and any 
590: Figure 7d and block 591; Figure 7e and other character indicating a partial 
10 block 592; Figure 7f and UP register 501; transfer; the fourth and fifth character 75 
Figure 7g and UO register 512; Figure 7h indicates the source of the data, and if the 
and UM register 502; Figure 8a and UWV source is identified by more than two letters 
logic 506; Figure 8b and UEP logic 507; and only the last two letters need be used; the 
Figure 8d and UMR logic 505. sixth and seventh characters are usually 

15 Referring to Figure 7a, the UW register numerals and indicate whether the signal is 80 
504 is comprised of two flip-flops 715a and high or low i.e. an odd numeral in the sixth 

720a respectively, each flip-flop capable of position indicates assertion and an even 
holding one bit of information of the UW numeral in the sixth position indicates 
register. Coupled to flip-flop 715a are 4 negation; the seventh position indicates 

20 AND gates 711a— 714a which are OR'ed whether this is the first, second, third, etc. 85 
together, with each gate (except gate 713a) level of occurrence of the signal. Data, on 

having two input terminals, and with at the other hand, is indicated differently. The 

least one signal applied to each input first three characters of data indicates the 

terminal. AND gate 714a has one of its source of the data, the fourth and fifth 

25 input terminals coupled to the set terminal characters which may be numerals indicate 90 

OW000I0 of the flip-flop 715a. Flip-flop the bit positions where the data is located in 

71 5a is also coupled to the terminal H27 for the soorcc, and the sixth and seventh 

receiving from a clock a timing signal called position are similar to the control signals in 

a PDA signal. Rip-flop 720a coupled to that they indicate whether the signaTis high 

30 AND gates 716a— 719a which are OR'ed or low and the level of occurrence of the 95 

together. One input terminal of AND gate signal. Generally the format itself indicates 

716a is coupled to an input terminal of whether the signal is a control signal or a 

AND gate 711 a; one input terminal of AND data signal and by reference to Figures 5 

gate 717a is coupled to one input terminal and 6 the source and destination may be 

35 of AND gate 7 12a and one input terminal of determined. There are exceptions to this 100 

AND gate 7 1 9a is coupled to an input general rule and they will be spelled out in 

terminal of AND gale 714a, whereas the the specification, and addenum. 
other input terminal of AND gate 719a is As an example of this convention it will 

coupled to the set terminal UW001 10 of the be noted on Figure 7a that the following 

40 flip-flop 720a. Rip-flop 720a is also coupled signals arc control signals: UWFAB1L 105 

to the H27 terminal for receiving PDA UWFAB10, UW9QA10. The following 

pulses, signals arc data signals UAB3410, 

AND gates 701a— 704a are OR'ed UAB3210, UAB3510, UAB3310, QA00110, 

together each having their output terminal and QA00010. The following signals are 

45 coupled to the input terminal of inverter exception PDARG10 is a timing signal 110 

705a. AND gate 706a is coupled to whose source is the PDA clock- 

amplifier 708a; whereas AND gate 707a is UWHOL10 is a hold signal for holding the 

coupled to amplifier 709a; one input information in the flip-flops 715a and 720a 

.terminal of AND gate 706a is coupled to UW0BK10 and UWIBK10 are back-up 

50 one input terminal of AND gate 707a. The logic whose main function is to extend the 115 

output terminal of inverter 705a is coupled input capability of flip-flops 715a and 720a 

to one input terminal of AND gate 714a and by connecting the UW register which is in 

719a; the output terminal of amplifier 708a fact formed by flip-flops 7!5a and 720a, to 

is coupled to the input terminal of AND bit zero and bit I represented by flip-flops 

55 gate 713a and the output terminal of 715a and 720a respectively; and finally 120 

amplifier 709a is coupled to the input USCLR10 is the clear signal for clearing 

terminal of AND gate 718a, and setting the flip-flops to zero. 

The signals applied to the inputs of AND As an illustration of the above mentioned 

gates and the signals derived as outputs convention herein adopted the signal 

60 from amplifier, inverters, or flip-flops are UWFABll applied to the input of one- 125 

designated by letters forming a special legged AND gate 702a is a control signal 

code. Since both data signals and control which transfers data (bits 34 and 35) 

signals are either applied or derived there contained in UAB associator buffer 611 

are two codes, one code for the control (the U in the signal has been omitted) to 

65 signals and one code for the data signals. UW register 504 and is a full transfer to the 130 
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UW register !; the odd number indicates 
the signal is assertion. Signal UWFABIO 
applied to the input of one-legged AND 
gate 703a is a control signal with the same 
5 source and destination as the signal applied 
to AND gate 702a except that bits 32 and 33 
of UAB are transferred to UW register. The 
sicnal UW9QA10 applied to one-legged 
AND gate 704a is also a control signal 

10, wherein data is transferred from QA bus 
614 to the UW register and may be a partial 
transfer. The signal QA0001O applied to 
AND gate 706a is a data signal where data 
is on QA bus 614 (the third position is not 

15 herein utilized since the First two positions 
adequately describe where the data is) and 
this data signal represents the bit identified 
as 00 on QA bus 614, The signal QA001 10 is 
similar to the previous signal except the 

20 data identified by this signal is the data on 
position 01 of the QA bus 614. Thus by 
utilizing this convention and Figures 5 
through 9 the ring protection hardware is 
fully defined and may be easily built by a 

25 person of ordinary skill in the computer art. 
Referring to Figure 7b there is shown the 
detailed logic block diagram for UV register 
503. Signal UVH0L10 is a hold signal for 
UV register 503 which is generated via 

30 inverter 703b when none of the one-legged 
AND gates 701b— 708b has a high signal 
applied to it. UVH0L10 signal is applied to 
AND gate 723b and causes information 
stored in the UV register 503 to be held 

35 therein. Signal UVH0L1E coupled to the 
input of AND gate 704b and to the outputs 
of AND gates 705b— 708b extends the 
number of control signals that may 
generate the hold signal UVH0L10. Signal 

40 UV0BK10 coupled to the outputs of AND 
gates 710b— 7 1 3b and to the input of AND 
gate 722b is also utilized to extend the 
number of inputs signals that may be 
applied to flip-flop 724b. Signal 

45 UV1BK10 coupled to the outputs of AND 
gates 7161) — 718b and to the input of AND 
gate 727b similarly extends the number of 
input signals that may be applied to flip-flop 
729b. 

50 Referring now to Figure 7g there is 
shown the detailed logic block diagram of 
UO register 512. AND gates 70Jg-~704g are 
OR'edtogethcr and their output is applied 
as an input to inverter 705g. AND gates 

55 706g— 709g are also OR'ed together and 
their outputs are coupled to flip-flop 710g. 
Also one input of AND gate 709g is coupled 
to the U000010 terminal of flip-flop 71Qg. 
AND gates 71 Ig— 7t4g are also OR'ed 

60 together and are similarly coupled to flip- 
flop 715g. It will be noted also that an input 
of AND gate 706g is coupled to an input of 
AND gate 7 1 Ig; an input of AND gate 707g 
is coupled to an input of AND gate 712g 

65 and an input of AND gate 709g is coupled 
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to an input of AND gate 7l4g. The 
UOH0L10 signal generated by inverter 
705g is also coupled to an input of AND 
gate 709g and 714g and is utilized to hold 
information in the UO register 512. XOO 70 
represents a ground, whereas XNU means 
unused input. 

Figure 7f is a detailed logic block 
diagram of UP register 501. It is similar to 
Figure 7g described supra except that 75 
different signals from different destinations 
and different sources are applied. 

Referring now to Figure 7h there is 
shown the detailed logic block diagram of 
UM register 502. AND gate 70lh— 704b are 80 
OR'ed together to produce the UMH0L10 
hold signal via inverter 705h. AND gates 
706h— 709h are OR'ed together and are 
coupled 10 the input of AND gate 704h in 
order to extend the range of signals that 85 
may be applied to produce the UMH0L10 
hold signal. Similarly AND gates 
71 lh— 714h are OR'ed together and 
coupled to the input of AND gate 723n in 
order to extend the range of signals that 90 
may be applied to nip-flop 730h; and also 
AND gates 716h—7l9h are OR'ed together 
and are coupled to the input of AND gate 
727h in order to extend the range of signals 
applied to flip-flop 73 lh. A line 7406 for 95 
applying the PDA signals to flip-flop 730h 
and 73 1 h is coupled at point 734h and 735h 
respectively. The input of AND gate 703b is 
also expanded to provide two further inputs 
URN1F00 and IRNUM10 by coupling the 100 
output of amplifier 733h to the input of 
AND gate 703a. 

Referring now to Figures 7c — 7e there is 
shown detailed logic block diagrams of 
write exception control logic 590, IFU 105 
subcommand control logic 591, and read 
violation exception control logic 592 
respectively. Referring first to Figure 7c 
there is shown flip-flops 705c and 710c 
which correspond to flip-flops 541 and 540 1 10 
respectively. Under a micro-operation 
URW2F10 subcommand the information in 
flip-flop 710c is transferred to flip-flop 
705c. The UWVIH10 hold signal is utilized 
to hold the information transferred to flip- 1 15 
flop 710c, whereas the UWV2HI0 signal is 
utilized to hold the information transferred 
to flip-flop 705c. Similarly in Figure 7d 
information is transferred from flip-flop 
7!0d to flip-flop 705d under micro- 120 
operation signal URNSW10, and in Figure 
7c information from flip-flop 710e is 
transferred to flip-flop 709e under control 
of micro-operation signal URW2F10. 

Referring now to Figures 8a, 8b and 8d 125 
there is shown detailed logic block 
diagrams of UWV logic 506, UWEP logic 
507, and UMR logic 505 respectively. 
Referring first to Figure 8a there is shown 
logic for generating a high signal when one 130 
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of the test conditions 5 10 is true and also for 
generating the execute violation signal 
when the contents of UW register is less 
than or equal to the contents of UM 

5 register is less than or equal to the contents 
of UV register is not true. When the signal 
UWLEV10 is generated it indicates that the 
contents of UW register 504 is less than or 
equal to the contents of UV register 503. 

10 The logic for generating this signal was 
derived pursuant to the following Boolean 
expression: 



30 



40 



45 



X l =CBCD)+(AB^)x(AC} 

Where X t represents the output of 
1 5 amplifier 805a and the various letters of the 
expression represent different input 
terminals of AND gates 801a — 804a. 

An indication that the contents of UV 
register 503 is greater than or equal to the 
20 contents of UM register 502 is had when 
UVGEM 10 signal is generated. This signal 
is generated via inverter 820a in response to 
various inputs on AND gates 816a— 819a 
which are OR'ed together and coupled to 
25 the input of inverter 820a. The logic for 
generating the UVGEM 10 signal is made 
pursuant to the following Boolean 
expression: 



XjKB CDMA B D>f (AC) 



An indication that the contents of UM 
register 502 is greater than or equal to the 
contents of UV register 503 is indicated by 

fenerating signal UMGEV10 via inverter 
10a in response to the various inputs of 
35 AND gates 806a— 809a which are OR'ed 
together. The logic for generating this 
signal is derived from the following 
Boolean expression: 



xmbCBwabDmaq 

(Wherein X a is the generated output 
signal). 

Similarly the UVEQM10 signal is 
generated pursuant to the following 
Boolean expression: 



X 4 =(AC)+(AC)+(B D)+(B D) 



Generation of the UVEQUMI0 signal 
indicates that the contents of the UV 
register 503 is equal to the contents of the 
UM register 502. 

50 The generation of the UMGEW10 signal 
indicates that the contents of the UM 
register 502 is greater or equal to the 
contents of the UW register 504 and is 
generated pursuant to logic having the 

55 following Boolean expression: 



xhbcdmabSmac) 



Generation of the UMGTW10 signal 
indicates that the contents of UM register 
502 is greater than the contents of UW 
register 504 and this signal is generated by 60 
logic defined by the following Boolean 
expression: 

X<HABl>)+3BB+A) 

The generation of the UWGMV00 signal 
indicates that the contents of UW register 65 
less than or equal to the contents of UM 
register less than or equal to the contents of 
UV register is not true. It is obtained when 
the UVGEM 10 signal indicating that the 
contents of UV register is greater than or 70 
equal to the contents of the UM register, 
and the UMGEW10 signal indicating that 
the contents of the UM register is greater 
than or equal to the contents of the UW 
register are both high. 75 

Referring now to Figure 8b a UMEQP10 
signal is generated by logic derived from 
the following Boolean expression: 



XrKA?T>KAC WB5 MB D) 

When this signal is high it indicates that 80 
the contents of UM register 502 is greater 
than the contents of UP register 501. 

Referring to Figure 8d there is shown the 
detailed logic block diagram for performing 
the operations of UMR logic 505 shown on 85 
Figure 5. One of the operations of this logic 
is to determine the maximum value of the 
contents of UP register 501 and of bits 2 and 
3 of UBS logic 606. In order to do this there 
must be an indication whether contents of 90 
UP is less than the contents of UBS or the 
contents of UP is greater than the contents 
of UBS. The generation of UPBEB 10 signal 
indicates that the contents of UP register 
501 is less than or equal to bits 2 and 3 of 95 
UBS logic 606; whereas the generation 
signal UPGTB 1 0 indicates that the contents 
of UP register 501 is greater than bits 2 and 
3 of UBS logic 606. These signals are 
generated by logic which has been defined 100 
by the following Boolean expression: 

X«=(BCD)+(ABD)4-(AC) 

Where X R is the output of inverter 805d 
and the letters of the expression are various 
inputs of the AND gates 801d— 803d. 105 

To illustrate how the maximum value of 
the contents of UP register and UBS logic 
may be determined by the output signals 
UMPBOlOand UMPBllOof amplifier 814d 
and 817d respectively, assume first that the 1 10 
contents of register UP are less than or 
equal to bits 2 and 3 of UBS logic because 
bh 2 is I and bit 3 is I whereas UB register 
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contains 01. This is indicated by the 9ignal 
UPLEB10 being high and the signal 
UPGTBIO being low since it is the inverse 
of signals UPLETBIO. This high UPLEB10 
5 signal is applied to one input of AND gate 
8 1 3d and also one input or AND eate 806d. 
If bit 2 of UBS logic is a I as indicated by 
signal UBS02I0 then AND gate 813d is 
enabled and signal UMPBOIOgoes high and 

10 indicates that bit 2 on UBS logic is a 1. 
Moreover if bit 3 of UBS logic is a I 
indicated by input signal UBS0310 being 
applied as another input of AND gate 816d 
then AND gate 816d is enabled and signal 

15 UMPB1 10 is high or a I. Therefore under 
the assumed conditions where bits (2, 3) 
UBS logic is greater or equal to the 
contents of UP register the maximum value 
of the two quantities is in UBS, and its 

20 number is binary 1 1 or decimal 4. Hence it 
is seen how a comparison is first made to 
determine which hardware contains the 
maximum, and then a determination is 
made as to the value of that maximum. By 

25 similar analysis one may see how the value 
of the UP register may be determined by 
signals UMPB010 and signals UMPB1I0 
when the contents of UP register is greater 
than the second and third bit of UBS logic. 

30 Similarly the maximum value of UM 
register 502 or UV register 503 may be 
determined by signals UVGEM10 and 
UMGTV10 respectively, when UV register 
503 is greater than or equal to UM register 

35 502, and conversely when UM register 502 
is greater than UV register 503. 

Referring now to Figures 9a— 9i a legend 
of symbols utilized in Figures 7 and 8 is 
shown. Figure 9a shows the symbol when 

40 there is a connection internally within the 
logic board. Figure 9b illustrates an output 
pin connection. Figure 9c indicates an 
input pin connection and is generally a 
source outside of the logic board 

45 illustrated. Figure 9d is the symbol utilized 
for an AND gate. Figure 9e is the symbol 
utilized for an amplifier; whereas Figure 9f 
is the symbol utilized for an inverter. Figure 
9g illustrates three AND gates 90 Ig— 903g 

50 that are OR'ed together thus causing 
output 904g to go high when any one of 
AND gates 901g— 903g is high. Figure 9h 
shows the symbol of a flip-flop having a 00 
reset terminal and a 10 set terminal. A PDA 

55 line supplies the clock pulse for causing the 
flip-flop to switch states when other 
conditions are present on the flip-flop. 
Figure 9i represents a micro-operation 
control signal. 

60 In order to enforce the ring protection 
scheme between procedures executing in 
different rings, the invention employs push- 
down sucks for its procedure linkage 
mechanism wherein a portion of each stack 
65 called a stack frame is dynamically 



allocated to each procedure. Different 
stack segments are used for each ring with 
one stack segment corresponding to one 
ring. Thus when a procedure is executed in 
ring RN its slack frame is located in the RN 70 
stack segment. Referring to Figure 10 there 
is shown three stack segments 1001—1003, 
with each stack segment having stack 
frames SI — S3 respectively. Ring 3 is 
assigned to stack segment 1001, ring 1 75 
assigned to stack segment 1002 and ring 0 is 
assigned to stack segment 1003. Within 
each stack segment there is a procedure 1 1 
associated with stack frame SI of segment 
100 1, a procedure P2 associated with stack 80 
frame S2 of stack segment 1002 and a 
procedure P3 associated with stack frame 
S3 of stack segment 1003. The segmented 
addresses (i.e. segment number and 
segment relative address SEG, SRA) of the 85 
first bytes of the stack segments for rings 0, 
I and 2 respectively are located in stack 
base words SB W0 — SBW2 respectively 
which are in turn located in process control 
black 104. Since the ring 3 stack segment 90 
can never be entered by an inward call (i.e. 
from a ring higher than ring 3) its stack 
starting address is not needed. Each stack 
frame SI, S2, S3 is divided into a working 
area 1005, 1006, 1007 respectively; an 95 
unused portion 1008, 1009, 1010, which is 
utilized for alignment purposes; a register 
saving area 1011, 1012, and 1013; and a 
communication area 1014, 1015, and 1016 
respectively. The working area is utilized by 100 
its procedure as needed and may contain 
material required by the process such as 
local variables, etc. The saving area of the 
stack frame is utilized to save the contents 
of various registers such as the status 105 
register, the T-registcr and the instruction 
counter contents ICC. The 
communications area stores information 
which is needed to pass parameters 
between procedures. Prior to a call to a 110 
given procedure the user saves those 
registers he wishes saved and moreover 
loads into the communication area the 
parameters to be passed to the called 
procedure. When the call is made, the 115 
hardware saves the contents of the 
instruction counter and other specified 
registers to facilitate a return from the 
called procedure. Each procedure call 
creates a stack frame within a stack 120 
segment and subsequent procedure calls 
create additional frames. Hence a stack is 
created and consists of a number of 
contiguous parts called stack frames which 
are dynamically allocated to each 125 
procedure. These stacks reside in stack 
segments. Generally the first stack frame is 
loaded into the beginning of the segment 
and succeeding frames are loaded after it. 
The last frame loaded is considered the top 1 30 
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of ihe suck. A T-register i 14 on Figure I, 
locales the top of the stack for the currently 
active process. A procedure such as for 
example Pi which is executing in ring 3 may 

5 call a procedure P2 executing in ring 1 
which in turn calls a procedure P3 which is 
now executing in ring 0. As each procedure 
is called it creates within its ring stack 
segment a stack frame (i.e. defining the 

10 environment for the procedure execution) 
and the T-rcgister 1 14 is loaded which gives 
the address of the top of the stack for the 
current active process. The procedure PI 
(as previously assumed) may call procedure 

1 5 P2 which in turn may call procedure P3 and 
since these calls are from a higher ring 
number to a lower ring number a ring 
crossing entailing an inward call is required 
and is accomplished in a manner to be 

20 described infra. During each change of 
procedure the necessary registers and 
parameters are saved in order to facilitate a 
return from the called procedure. 

A procedure is always accessed through a 

25 procedure descriptor 1 1 10 by means of the 
ENTER PROCEDURE INSTRUCTIONS. 
The format of the ENTER PROCEDURE 
INSTRUCTION 1 100 is shown on Figure 
11a. The operation code (OP) 1101 

30 occupies bit positions 0 through 7. The 
complementary code 1 102 is a one bit code 
and occupies bit position 8 to 9; if the 
complementary code is set to logical 1 the 
instruction is ENT. whereas if the 

35 complementary code is logical 0 the 
instruction is ENTSR and the base register 
must be base register 0 (BRO). The address 
syllable AS i 104 occupies bit positions 12 
thru 31 and provides the address syllable 

40 AS of the procedure descriptor 3 1 10. When 
an ENTER PROCEDURE 
INSTRUCTION requires a ring crossing a 
gating procedure descriptor 1120 is 
obligatorily accessed. This is indicated by 

45 the GS Held 1302 of segment descriptor 
1301 being set to logical 10. Generally the 
GS field is set to 10 when one of the 
ENTER PROCEDURE INSTRUCTIONS 
.is utilized. As described in the application 

50 No. 21630/76, Serial No. 1,465.344. the 
segment descriptor is utilized to point to the 
base of the segment desired, in this instance 
the segment 1300 containing gate 
procedure descriptors GPD 1 120. The first 

55 word of the segment 1300 containing the 
gating procedure descriptors (GPD's) is 
formatted as shown in Figure lie. The 
TAG 1121 occupies bit positions 0 and 1 
and must indicate a fault descriptor i.c. the 

60 TAG field must be set to logical II. The 
Caller's Maximum Rin$ Number CMRN 
1122 occupies bit positions 2 and 3, and 
indicates the maximum ring from which a 
calling procedure through the gated 

65 procedure descriptor GPD is legal. A call 



violation exception is generated if the 
caller s ring number is greater than CMRN 
1 122. The gated procedure descriptor 
address boundary oPDAB 1124 occupies 
bit positions 10 through 31 and it must be 70 
greater than the segment relative address 
SRA (i.e. the GPD*s displacement in the 
segment of procedure descriptors 1300), 
otherwise an illegal GPD access exception 
occurs. Thus a gating procedure descriptor 75 
GPD is utilized as the first word of the 
segment containing procedure descriptors 
and is utilized to determine whether the 
caller has a right to access the segment via 
the caller's maximum ring number CMRN 80 • 
and whether or not the procedure 
descriptor called is within the gating 
procedure descriptor's address boundary. 
Once it is determined that there is a legal 
call to the segment and the caller has a right 85 
to enter the segment the address is obtained 
from the address syllable AS 1104 of enter 
instruction 1100 and the required 
procedure descriptor II 10 (see also Figure 
13) is accessed. The format of procedure 90 
descriptor 1 1 10 is shown on Figure 1 lb and 
is comprised of two 32 bit words— word 0 
and I respectively. Word 0 contains the 
segmented address 1113 of the entry point 
EP of the procedure desired. The 95 
segmented address, as is the case with the 
segmented address of any operand, is 
comprised of the segment number SEG and 
the segment relative address SRA. Word 0 
of the procedure descriptor includes an 100 
entry point ring number EPRN 1112 and a 
TAG field 11 1 1. The value of the TAG is 
interpreted as follows: 

a. if the TAG contains logical 00 the 
procedure descriptor is direct; 105 

b. if the TAG is logical 01 the procedure 
descriptor is an extended descriptor and 
includes word I making a total of two 
words; 

c. if the TAG is logical 10 the procedure 1 10 
descriptor is indirect ajid an illegal 
procedure descriptor exception occurs; and 

d. if the TAG is logical 11 it is a fault 
procedure descriptor and an exception 
occurs. 115 

Word I of the procedure descriptor is 32 
bits long and is utilized when the TAG 
indicates an extended descriptor and 
contains the segmented address of a linkage 
section whose contents are loaded in base 120 
register BR 7 at procedure entry time. 

Referring to Figure 12 a portion of the 
ENT instruction is shown and more 
specifically that portion which pertains to 
the ring crossing and ring checking 125 
requirements. The ENT instruction is 
called, 1201 and a comparison is made 1202 
wherein the segmented part of the base 
register BRn is compared to the segmented 
part of the address of the T register, and if 130 
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they are not equal an illegal stack base 
register 1208 is indicated. U on the other 
hand they are equal another comparison 
1203 is made wherein the 30th bit including 
the next two bits (i.e. bits 30 and 3 1 ) of base 
register, BRn is compared to 0 and if it is 



the stack frame and the stack frame 
registers arc updated; 

d. a branch to the entry point of the 
procedure pointed to by the procedure 
descriptor is performed. 

Referring now to Figure 14 the access 



not equal to 0, then once again an illegal checking is started 1401 by obtaining the 
stack base register 1208 is indicated. If it is address syllable AS containing the effective 
equal to 0 it indicates that the contents of ~ 
BRn is aligned with respect to the word 
boundary and another comparison 1204 is 
performed to determine that the TAG of 
BRn (i.e. the two bits starting from bit 0) is 
equal to 0. A TAG having a logical 0 
indicates information is accessed via a 
direct descriptor which is one of the 
requirements of the ENT instruction. If the 
TAG (i.e. bits 0 and ( of BRn) is equal to 0 
then the functions stated in flow charts of 
Figures 14 through 16 are performed (see 
flow chart Figure 12 block 1205). If these 
meet the necessary requirements a further 
check 1206 is made to determine whether 
the segment relative address of the entry 
point which was given (SRA^) is even, 
because instructions start on a half-word 
boundary. If it is not even then an illegal 
branch address exception is generated 1209 
however if it is legal the ENT instruction is 
executed 1207 via further steps not shown. 

Referring now to the flow charts of the 
access checking mechanism Figures 



address ring number EAR, the segment 
number of the procedure descriptor SEG ro , 
and the segment relative address of the 
procedure descriptor SRA PD . Having 
developed this information the procedure 
descriptor 1 1 10 is fetched 1403 from 
(SEGpp, SRA ro ) ignoring access rights to 
scratch pad memory. The procedure 
descriptor 1 110 will yield the TAG which 
determines whether the descriptor is direct, 
extended, indirect, or a fault descriptor; the 
entry point ring number EPRN; the 
segment (SRA^) which contains the entry 
point and the segment relative address 
(SRA„) of the entry point. The TAG is 
tested 1404 to determine whether the 
descriptor i 1 10 is direct, extended, indirect 
or a fault descriptor by checkiog ks field in 
accordance to the code hereinbefore 
described. Only a direct or extended 
procedure descriptor is legal. An indirect or 
fault descriptor is illegal and upon access 
invokes an exception mechanism not herein 
described. Once it is determined that a legal 



14 — 16, generally the following operations procedure descriptor has been accessed the 
^r^^^™^^!^^^ i, nstruct io n actual call right checking begins at point A 

cxn~tr r> nnnrrrM Tr " ' 1405. 

Referring now to Figure 15 and 



ENTER PROCEDURE is issued: 

a. the caller's right to call the callee is 
checked by first determining from the 
second word of the segment descriptor the 
call bracket in which the caller is executing. 
(The call bracket is determined by taking 
the minimum ring number from the write 
ring number field WR and the maximum 
ring number from the maximum ring 
number field MAXR). 

b. a decision is made about the next 
process ring number by determining 
whether the caller is in the same caff 
bracket as the callee, which implies don't 
do anything; whether the caller ts in a call 
bracket requiring that he make an outward 
call in which case an exception condition is 
generated which is handled by a mechanism 
not described herein; or finally whether the 
caller is in a call bracket which requires an 
inward call (i.e. going to a call bracket 
which requires ring crossing from a 
larger ring number to a smaller 
ring number in which case the 
ring crossing must be at a valid entry 
point EP and the entry point must be 
validated). 

c. a stack frame is created for the callee 



65 



70 



75 



80 



85 



90 



95 



100 



continuing from point A 1405 the maximum 
ring number MAXR, the write ring number 
WR, and the execute permission bit EP of 
the segment containing the entry points 
SEGb, arc fetched; this information is 105 
contained in the segment descriptor for the 
segment containing the entry points 
(SEG OT ). The write ring number WR is 
compared to the maximum ring number 
MAXR 1503 and if the write ring number 1 10 
WR is greater than the maximum ring 
number MAXR the segment is 
nonexecutable and an execute violation 
exception 1513 occurs. If the write ring 
number WR is less than or equal to the 115 
maximum ring number MAXR then the 
execute permission bit EP is compared to 
logical 1 and if the EP bit is not logical 1 
then once again an execute violation, 
exception 1513 occurs; however if the EP 120 
bit is equal to one the effective address ring 
number EAR of the calling procedure is 
maximized with EPRN to give a new 
EAR,,— {MAX (EAR, EPRN)J where 
EAR, is the maximum of PRN as found in 125 
the instruction counter 1C, and all ring 
numbers in base registers and data 



(i.e. space in the aforementioned format of descriptors, if any. found in the path which 
the appropriate segment is allocated), and leads to the procedure descriptor. The 
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effective address ring number EAR a is then gated procedure descriptor access 

compared 1506 to the maximum ring exception 1614 occurs. However if it is 

number MAXR of the MAXR segment within the address boundary of the gated 

descriptor of SEG„ which is the maximum procedure descriptor (i.e. SRA^ is less 

5 ring number at which a procedure may than GPDAB) then the caller's right to call 70 

execute. If EAR 3 is greater than MAXR the the callee is checked 1608. This is 

procedure call is an inward call which performed by comparing the effective 

requires that the procedure be entered by a address ring number EA& to the caller's 

valid entry point and the access checking maximum ring number CMRN 1122 as 

10 operation branch to point B 1507. The found in the first word 1 120 of the segment 75 

following checking operations are then of procedure descriptors 1300. If EARj is 

performed: greater than the caller's CMRN a call 

a. the SEGg, is checked to determine if violation exception 1615 occurs which 

it is a legal gate segment; and, indicates that the caller in this particular 

15 b. the caller's maximum ring number instance has no right to legally call inward 80 

CMRN is checked to determine if it is i.e. from a higher ring number to a lower 

greater than or equal to the effective ring number. On the other hand if EAR a is 

address ring number EAR of the caller. equal or less than CMRN, then the inward 

If these conditions are not true then an call is legal and a check is made 1609 to 

20 illegal gate segment exception 1603 or call determine that the process ring number 85 

violation exception 1615 occurs. PRN which is the current process ring 

Referring now to branch point B 1507 of number found in the instruction counter IC 

Figure 16 the first check 1602 that is made just before the call was made is less than the 

is to determine whether or not the maximum ring number MAXR of SEGj,; 

25 segment which contains the procedure and if it is the accessing mechanism 90 

descriptors is a gate segment This is done branches to point C 1508, otherwise a new 

by examining the Gating/Semaphore field process ring number NPRN is calculated 

GS of the segment descriptor pointing to and set to a maximum ring number MAXR 

the segment of procedure descriptors, to 1611. Generally the effective address ring 

30 determine if it is set to logical 10. If the GS number EAR t is the same as the process 95 

field of the segment descriptor of the ring number PRN of the caller. Sometimes 

segment containing procedure descriptors however, in cases where it is necessary to 

is set to 10 it is then a gate segment and the give maximum assurance that the caller will 

first word of the segment containing not be denied access to a given segment the 

35 procedure descriptors is a gated procedure EAR 2 is greater than the PRN. In those 100 

descriptor GPD 1120 of Figure 1IC and cases 1 RN is forced to take the value of 

Figure 13. The first word 1120 of the EAR 2 in order to make sure that the call is 

segment containing procedure descriptors returned to the maximum ring number 

is then fetched from address SEG^q, 0 upon an exit To this point it will be noted 

40 ignoring access rights to scratch pad that this checking mechanism was invoked 105 

memory. It will be noted that the TAG field because the EAR 3 was greater than the 

of the first word 1120 of the segment MAXR hence greater than the top of the 

containing procedure descriptor SEG™ call bracket of the procedure and hence an 

1300 must be a logical 11 (Figure 13) which inward call was necessary which 

45 indicates it is a fault descriptor. Moreover necessitated going through a valid gate, and 1 10 

the MBZ field must be set to zero. These the mechanism included these gating 

conditions are checked by checks. By branching back to C 1508 

hardware/firmware (arithmetic logic unit) (Figure 15) a further check 1509 is made to 

stop 1605 and if these conditions do not determine then that the process ring 

50 hold an illegal gate segment exception 1603 number PRN is greater than the write ring 1 15 

results. However if these conditions do hold number WR of SEG^ which in this context 

a check 1606 is further made to determine is the minimum ring number at which a 

that the segment relative address of the procedure may execute. If the write ring 

procedure descriptor SRA ro 1110 is a number WR is greater than the process ring 

55 multiple of 8. If the condition of step 1606 number PRN an outward call exception 120 

does not hold an illegal system object 1514 occurs. However if WR is less than or 

address exception 1613 results otherwise equal to PRN the call is legal and NPRN is 

the next step 1607 is performed. Step 1607 set to PRN 1510. 

checks to determine whether or not the Having made the above checks the 

60 segment relative address of the procedure inward call is made, and after performance 125 

descriptor SRA„, is within the address of the desired operation a return back to 

boundary GPDAB 1124 of the gated the original point of the program in 

procedure descriptor 1120; if it is not within execution is made by the EXIT 

that address boundary it is an illegal INSTRUCTION. During the ENTER 

65 procedure descriptor and an illegal GPD INSTRUCTION the instruction counter IC 130 
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was saved in the saving area of the caller's 
stack frame before making the call. 
Moreover the caller's ring number was also 
saved during the ENTER INSTRUCTION 
and this was saved in base register 0 BRO. 

The format of the EXIT INSTRUCTION 
1130 is shown on Figure 11D. The 
operation code OP 1131 is found in bit 
positions 0 — 7 and the complementary code 
C 1 133 is found in bit positions 12 — 15. The 
complementary code allows other 
instructions to use the same 8 bit op code. 
The MBZ field 1132 in bit positions 8 — 11 
must be 0 otherwise an illegal format field 
exception occurs. (BRO is generally a 
pointer to the communications area of the 
caller's stack frame). 

In performing the EXIT INSTRUCTION 
it is necessary to perform predetermined 
checks in order to ascertain that the caller 
didn't change his image which would 
permit him to operate a a different orivilege 
than was intended. Referring to Figure 17 
the first check performed 1701 is to 
determine if the TAG of the instruction 
counter content (ICC) indicates a direct 
descriptor. A logical 00 in the TAG field 
indicates that it is direct if it is not an illegal 
stack data exception 1702 occurs, whereas 
if it is equal to 0 the ring field in the 
instruction counter content ICC is set to 
the new process ring number NPRN 1703. 
This sets the new process ring number 
NPRN to what it used to be when the call 
was first made. However further checks are 
made in order to ascertain that there was no 
further cheating. Hence the base register 0 
ring number located at bit position 2 and 
extending for 2 bit positions from and 
including bit position 2 must be equal to the 
new process ring number NPRN 1704. (It 
will be recalled that when the ENTER 
INSTRUCTION was called the ring 
number of the caller before the call was 
made was stored in bits 2 and 3 of base 
register 0 (BRO). If check 1704 indicates that 
the new process ring number NPRN is not 
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110 



equal to the ring number in bit positions 2 
and 3 of the base register 0 (BRO) an illegal 
stack data exception 1702 occurs. The next 50 
check 1705 determines whether an inward 
or an outward return must be performed. 
Since an inward call was previously 
performed an outward return is implied in 
order to reach the original point from 55 
which the procedure was called. Moreover 
since the invention does not permit an 
outward call there is never a necessity to 
return inward. Hence the new process ring 
number NPRN is compared to the process 50 
ring number PRN 1705, and if NPRS is less 
than PRN an inward return is implied and 
an inward return exception 1706 is 
generated. However if check 1705 is passed 
successfully (i.e. NPRN is greater or equal 6S 
to PRN) then a check is made to determine 
that a return is made to the segmented 
address SEGr that called the procedure and 
a return to the call bracket of the calling 
procedure is made and moreover thai the 70 
execute bit EP is set. This is performed by 
fetching the segment descriptor SEGr of 
the calling procedure 1707 and making 
checks 1709, 1711, 1712. In performing 
checks 1709. 1711, 1712, check 1709 mid 75 
1711 determine that the new process ring 
number NPRN is greater than tne minimum 
ring number WR but less than the 
maxim u m ring number MAXR (Le. that the 
ring number is in the call bracket of the go 
calling procedure where it should be). 
Finally check 1712 makes sure that the 
execute permission bit EP is set to 1. Thus a 
full cycle is concluded a call was performed 
via an ENTER INSTRUCTION; the gj 
required operation or processing was 
performed via the called procedure; then a 
return via an EXIT INSTRUCTION to the 
calling procedure was performed. 

Having shown and described the 90 
preferred embodiment of the invention, 
those skilled in the art will realize that many 
variations of modifications can be made to 
produce the described invention and still be 
within the scope of the claimed invention, 95 



Glossary of Terms 

JOB — The job is the major unit of work for the batch user. It is the vehicle for 

describing, scheduling, and accounting for work he wants done. 
JOB STEP— A smaller unit of batch work. It is generally one step in the execution 
_ AO _, <£ a job consisting of processing that logically belongs together. 
TASK — The smallest unit of user-defined work. No user-visible concurrency of 

operation is permitted within a task. 
PROGRAM — A set of algorithms written by a programmer to furnish the 

procedural information necessary to do a job or a part of a job. 
PROCESS GROUP PLEX— The system's internal representation of a specific 

execution of a job. . 
PROCESS GROUP— A related set of processes, usually those necessary for 

performance of a single job step. 
PROCESS — The controlled execution of instructions without concurrency. Its 

physical representation and control are determined by internal system 

design or convention. 
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Glossary of Terms (cont.) 
PROCEDURE— A named software function or algorithm which is executable by 
a computational processor without concurrency. Its physical 
representation (code plus associated information, invocation, and use 
5 are determined by internal system or designed convention). 

LOGICAL PROCESS — The collection of hardware resources and control 

information necessary for the execution of a process. 
ADDRESS SPACE (SEGMENTATION)— The set of logical addresses that the 
CPU is permitted to transform into absolute addresses during a 
10 particular process. Although a processor has the technical ability of 

addressing every single cellof timing memory, it is desirable to restrict 
access only to those cells that are used during the process associated with 
the processor. 

LOGICAL ADDRESS — An element of the process address space such as for 
15 example segment number SEG and Displacement D. 

BASIC ADDRESS DEVELOPMENT— A hardware procedure which operates 
on a number of address elements to compute an absolute address which 
is used to refer to a byte location in core* 
PROCESS CONTROL BLOCK— A process control block PCB, is associated 
20 with each process and contains pertinent information about its 

associated process, including the absolute address of tables defining the 
segment tables the process may access. 
J. P. TABLES — A collection of logical addresses for locating a process control 
block associated with a process. 
25 SEGp,, — The segment which contains the procedure descriptor. 

SEGejt — The segment which contains the entry point, as found in the procedure 
descriptor. 

PRN— -The process ring number, found in the instruction counter IC just before 
the call, or calculated by the ENTSR instruction. 
30 EAR— The effective address ring number which is the maximum of: 
(a) the process ring number PRN as found in the IC: or 

(b) all ring numbers in the base register and data descriptors (if any) 
bund in the path which leads to the procedure descriptor from the call 
instruction, including the entry point ring number EPRN located in the 
35 procedure descriptor itself. 

M AXR — The maximum ring number at which a procedure may execute; MAXR 

is found in the segment descriptor of SEG^. 
WR — The minimum ring number at which a procedure may execute; WR is found 
in the segment descriptor of SEG^ 
40 EP — Execution permit bit found in the segment descriptor of SEG^ 

CMRN— The caller's maximum ring number, as found in the first word of the 
segment SEG ro if this segment is identified as a gate segment (Le. with 
the code "gate" set). 
NPRN — New process ring number, 
45 EPRN — Entry point ring number (found in the process procedure descriptor). 
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Signal Name 

(1) WSCLR 

(2) PDARG 

(3) PDURGIT 

(4) UWOBK 

(5) UWHOL 

(6) UW1BK 

(7) UW00000 

(8) UW00010 

(9) UW00I00 

uwoono 

(10) UVSPS 



Type 

Control 
Control 
Connecting 

Connecting 
Control 

Control 



Function 



Control 



Clears register to which it is connected. 
Clock Sfgnal PDA. 

Pin connected to PDA at one end and 

resistor at the other. 
Expands inputs to UW register- 
Holds information in register to which it is 

connected. 
Same as UWOBK but is connected to 

different input terminal of UW register. 
Reset terminal of one flip-flop of register 

UW. 

Set terminal of flip-flop of register UW. 
Same as 7+8 but different flip-flop. 

Spare Control Input. 
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Signal Name 
(I I) UVSPD 

(12) UVOBK 

(13) UV0OO0O 
UV000IO 
UV00100 

uvoouo 

(14) UWV1S 

(15) UWV1D 

(16) UWV2F 

(17) UWV1S 
UWV2S 

(18) UWV1D 

(19) UWV1H 

(20) UWVIC 

(21) UWV2C 

(22) URN IS 
URN2S 

(23) URN ID 

(24) URNSW 

(25) URN2F 

(26) URN1H 

(27) URN2C 
(2S) URW1S 

URW2S 

(29) URW1D 

(30) URV2F 

(31) XNU 

(32) XOO 
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Addendum (cont) 

TyP 0 Function 
Data Spare Data Input. 

Expander Same as UWOBK and UW1BIC, but it 

connects difTerent registers and gates. 
Same as UW00000, UW000I0, U WOO 100, 
UW00I10, but applies to nip-flop UV. 

Control Control input for UWV1F. 

Data Data input for UWV1F. 

F/F Write control flip-flop. 

Control Control unit for UWVtF, UWV2F. 

Data Data input for UWV1F. 

Control Hold UwVIF flip-flop. 

Control Clear UWVIF. 

Control Clear UWV2F. 

Control Control inputs for URNIF, URN2F. 

Data Data Input for URN IF. 

Control Transfer URN 1 F to URN2F and URN2Fto 
URN IF, 

F/F Control loading max (UP. UBS2, 3 to UM). 

Control Hold URN IF flip-flop. 

Control Clear URN2F. 

Control Control inputs for URVlF, URV2F. 

Data Data Input for URVlF. 

F/F Read control flop. 

Indicates terminal not used here in- 
Grounded Input. 
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WHAT WE CLAIM IS:— 

1. An internally programmed data 
processing apparatus CPU having a virtual 
memory system, and being responsive to 
internally stored instruction words for 
processing information and having stored in 
said virtual memory system a plurality of 
difTerent types of groups of information 
each information group-type associated 
with an address space bounded by a 
segment having adjustable bounds, and 
comprising means for protecting the 
information in said-virtual memory system 
from unauthorized users by restricting 
accessability to the information in 
accordance to levels of privilege, said 
means comprising in combination with an 
access checking mechanism; 

(a) first means arranged in operation to 
store in said virtual memory system at least 
one segment table comprising a plurality of 
segment descriptors with each segment 
descriptor being associated with a 
predetermined one of said segments and 
each segment descriptor having a 
predetermined format containing an access 
information element and a base address 
element in predetermined positions of said 
format, said base address element being 
used for locating in said virtual memory 
system the starting location of a selected 



one of said segments, and said access 
information element for specifying the 65 
minimum level of privilege required for a 
predetermined type of access that is 
permitted in a selected one of said 
segments; 

(b) a plurality of second means having a 70 
predetermined format, communicating 
with said first means, arranged to store in a 
predetermined portion of said second 
means, a segment number SEG for 
identifying a segment table and the location 75 
of a segment descriptor within said segment 
table, said second means also being 
arranged to store in a predetermined other 
portion of said second means, an offset 
address within the segment identified by g0 
said segment descriptor said offset address 
locating from said segment base the first 
byte of a word within said segment; 

(c) third means responsive to an address 
syllable element of an instruction being 55 
executed for addressing one of said 
plurality of second means; 

(d) fourth means arranged to store a 
displacement from said address syllable, 

(e) fifth means, communicating with said 90 
first, second* third and fourth means, 
arranged to add the displacement D and 
said base address to said offset; and, 

(f) sixth means responsive to said access 



24 



1.483,282 



24 



10 



15 



20 



25 



30 



35 



40 



45 



50 



55 



60 



65 



information eiement in a selected one of 
said segment descriptors, restricting the 
accessability to the segment associated with 
said selected one of said segment 
descriptors in accordance to the level of 
privilege and the type of access specified in 
said access information element, wherein 
each group-type of information is 
associated with a predetermined ring 
number indicative of a level of privilege 
said level of privilege decreasing as the 
associated ring number increases 
comprising means for determining the 
maximum effective address ring number 
EAR (i.e. minimum level of privilege) of a 
selected process to access a selected group 
of information, said means comprising; 

(a) first means to store first information 
indicating the maximum ring number RD 
(i.e. minimum level of privilege) required to 
read information from said selected group; 

(b) second means to store second 
information indicating the maximum ring 
number WR (i.e. minimum level of 
privilege) required to write information into 
said selected group; 

(c) third means to store third 
information indicating the maximum ring 
number MAXR (i.e. minimum level of 
privilege) required to process information 
from said selected group; and, 

(d) fourth means communicating with 
said first, second and third means, to 
determine the maximum of the contents of 
said first, second and third means whereby 
the effective address ring number EAR is 
generated. 

2. Apparatus according to claim 1, 
wherein said second means for storing the 
maximum ring number WR additionally 
indicates the minimum ring number WR 
(i.e. maximum level of privilege) required 
to process information from said selected 
group. 

3. Apparatus according to claim 1 or 
claim 2, wherein said fourth means to 
generate the effective address ring number 
comprises a comparator for comparing 
binary numbers. 

4. Apparatus according to any one of 
claims I to 3 wherein the sixth means 
restricting the accessibility to the segment 
includes comparator means, 
communicating with said second means, to 
compare the effective address ring number 
EAR with the write ring number WR, and 
further including means communicating 
with said comparator means to generate a 
write-violation-exception signal when EAR 
is greater than WR. 

5. Apparatus according to claim 4, 
wherein the sixth means restricting the 
accessibility to the segment includes seventh 
means, communicating with said second 
and third means thereof to. compare the 



maximum ring number MAXR and the 
write ring number WR with the effective 
address ring number EAR, and further 
including eighth means, communicating 
with said seventh means for generating an 70 
execute-violation-exception signal when the 
MAXR is not equal or greater than EAR 
which in turn is not equal or greater than 
WR. 

6. Apparatus according to claim 5, 75 
wherein in that the sixth means restricting 

the accessibility to the segment includes 
ninth means, communicating with said first 
means, for comparing the effective address 
ring number EAR with the read ring 80 
number RD, and further including 
tenth means, communicating with said 
ninth means, to generate a read-violation- 
exeption signal when EAR is greater than 

7. Apparatus according to claim 6, 
wherein in that the sixth means restricting 
the accessibility to the segment includes 
eleventh means to store a process ring 
number PRN of a currently executing 90 
process, and also including twelfth means 

to communicate with said eleventh means, 
and further including thirteenth means 
communicating said said twelfth means for 
overriding said read-violation-exception 95 
signal when the effective address ring 
number EAR is equal to the process ring 
number PRN of the currently executing 
process. 

8. Apparatus according to any one of the 100 
preceding claims wherein the access 
checking mechanism supervises transfer of 
control of said CPU from a first selected 
procedure (Le. caller) having a first ring 
number indicative of a minimum level of 105 
privilege associated with said caller, to a 
second selected procedure (i.e. the callee) 
having a second ring number associated 
with said callee indicative of a minimum 
level of privilege associated with said 110 
callee, said access checking mechanism 
comprising 

(a) first means for checking the caller's 
right to call the callee; 

(b) second means, communicating with 115 
said first means, to compare the caller's 
ring number to the callee s ring number, 

(c) third means responsive to said second 
means to permit a transfer of control of said 
CPU from said caller to said callee when 120 
the ring number of the caller is greater than 

the ring number of callee (i.e. inward call); 
and, 

(d) fourth means also responsive 

to said second means to deny a 125 
transfer of control of said CPU 
from said caJIcr to said callee when 
the ring number of said caller is less than 
the ring number of the callee (i.e. outward 
call). 130 
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J, 483,282 
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9. Apparatus according to claim 8, 
wherein the access checking mechanism 
includes a plurality of ring stack-segment 
means each of said ring stack-segment 
means having associated with it a ring 
stack-segment number, indicative of the 
minimum level of privilege required by a 
selected one of said procedures to access a 
selected one of said ring stack segments. 

10. Apparatus according to claim 9 
wherein there are four ring stack segment 
means having ring numbers 0 to 3 
respectively. 

11. Apparatus according to claim 9 or 
claim 10 wherein the access checking 
mechanism includes stack-frame-element 
means associated with selected ones of said 
procedures, said stack-frame-eleraent 
means being grouped within said ring stack- 
segment means in accordance with the ring 
number of the associated procedure of said 



stack-framc-element means, said stack 
frame element means to save said register 
of said caller prior to passing control to said 
callcc. " 25 

12. Apparatus according to claim 11, 
wherein the access checking mechanism 
includes first sub-element means, 
responsive to said first, second, third and 
fourth means, for communicating between 30 
a selected one of said stack-frame-means in 
a first ring stack-segment being associated 
with one ring number, and a selected other 
of said stack-frame-means in a second ring 
stack-segment associated with another ring 35 
number. 
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